[193353] in North American Network Operators' Group
Re: ICMPv6 PTBs and IPv6 frag filtering (particularly at BGP peers)
daemon@ATHENA.MIT.EDU (Fernando Gont)
Thu Jan 12 10:07:30 2017
X-Original-To: nanog@nanog.org
To: Saku Ytti <saku@ytti.fi>
From: Fernando Gont <fgont@si6networks.com>
Date: Thu, 12 Jan 2017 12:02:05 -0300
In-Reply-To: <CAAeewD-hJu0VefQpQvu2WT8Wdg4Zu1gMKULGU43MXr3uArg8GA@mail.gmail.com>
Cc: NANOG <nanog@nanog.org>
Errors-To: nanog-bounces@nanog.org
Hi, Saku,
On 01/12/2017 11:43 AM, Saku Ytti wrote:
> On 12 January 2017 at 13:19, Fernando Gont <fgont@si6networks.com> wrote:
>
> Hey,
>
>> I'm curious about whether folks are normally filtering ICMPv6 PTB<1280
>> and/or IPv6 fragments targeted to BGP routers (off-list datapoints are
>> welcome).
>
> Generally may be understood differently by different people. If
> generally is defined as single most typical behaviour/configuration,
> then generally people don't protect their infrastructure in any way at
> all, but fully rely vendor doing something reasonable.
>
> I would argue BCP is to have 'strict' CoPP. Where you specifically
> allow what you must then have ultimate rule to deny everything. If you
> have such CoPP, then this attack won't work, as you clearly didn't
> allow any fragments at all (as you didn't expect to receive BGP
> fragments from your neighbours).
That's the point: If you don't allow fragments, but your peer honors
ICMPv6 PTB<1280, then dropping fragments creates the attack vector.
--
Fernando Gont
SI6 Networks
e-mail: fgont@si6networks.com
PGP Fingerprint: 6666 31C6 D484 63B2 8FB1 E3C4 AE25 0D55 1D4E 7492
