[193359] in North American Network Operators' Group

home help back first fref pref prev next nref lref last post

Re: ICMPv6 PTBs and IPv6 frag filtering (particularly at BGP peers)

daemon@ATHENA.MIT.EDU (Fernando Gont)
Thu Jan 12 15:20:32 2017

X-Original-To: nanog@nanog.org
In-Reply-To: <CAAeewD96awiO=AVS-FUVNH=zgKM4ETj5Z9rjngE2OoizJMnG9g@mail.gmail.com>
From: Fernando Gont <fgont@si6networks.com>
Date: Thu, 12 Jan 2017 17:19:42 -0300
To: Saku Ytti <saku@ytti.fi>
Cc: NANOG <nanog@nanog.org>
Errors-To: nanog-bounces@nanog.org

El 12/1/2017 16:32, "Saku Ytti" <saku@ytti.fi> escribi=C3=B3:

On 12 January 2017 at 17:02, Fernando Gont <fgont@si6networks.com> wrote:
> That's the point: If you don't allow fragments, but your peer honors
> ICMPv6 PTB<1280, then dropping fragments creates the attack vector.

Thanks. I think I got it now. Best I can offer is that B could try to
verify the embedded original packet? Hopefully attacker won't have
access to that information. An if attacker has access to that
information, they may as well do TCP RST, right?

Didn't we have same issues in IPv4 with ICMP unreachable and frag
neeeded, DF set? And vendors implemented more verification if the ICMP
message should be accepted.


Yes and no.

1) there was no way in v4 to trigger use of fragmentation for an arbitrary
flow.

2) in v4 you were guaranteed to get the IP+TCP header in the ICMP payload.
In ipv6, you aren't (think ipv6 EHs)

Thanks,
Fernando

home help back first fref pref prev next nref lref last post