[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

ICMPv6 PTBs and IPv6 frag filtering (particularly at BGP peers)

Subject: ICMPv6 PTBs and IPv6 frag filtering (particularly at BGP peers)
From: saku at ytti.fi (Saku Ytti)
Date: Thu, 12 Jan 2017 21:31:53 +0200
In-reply-to: <[email protected]>
References: <[email protected]> <CAAeewD-hJu0VefQpQvu2WT8Wdg4Zu1gMKULGU43MXr3uArg8GA@mail.gmail.com> <[email protected]>

On 12 January 2017 at 17:02, Fernando Gont <fgont at si6networks.com> wrote:
> That's the point: If you don't allow fragments, but your peer honors
> ICMPv6 PTB<1280, then dropping fragments creates the attack vector.

Thanks. I think I got it now. Best I can offer is that B could try to
verify the embedded original packet? Hopefully attacker won't have
access to that information. An if attacker has access to that
information, they may as well do TCP RST, right?

Didn't we have same issues in IPv4 with ICMP unreachable and frag
neeeded, DF set? And vendors implemented more verification if the ICMP
message should be accepted.

-- 
  ++ytti

Follow-Ups:
- ICMPv6 PTBs and IPv6 frag filtering (particularly at BGP peers)
  - From: fgont at si6networks.com (Fernando Gont)
- ICMPv6 PTBs and IPv6 frag filtering (particularly at BGP peers)
  - From: fgont at si6networks.com (Fernando Gont)

References:
- ICMPv6 PTBs and IPv6 frag filtering (particularly at BGP peers)
  - From: fgont at si6networks.com (Fernando Gont)
- ICMPv6 PTBs and IPv6 frag filtering (particularly at BGP peers)
  - From: saku at ytti.fi (Saku Ytti)
- ICMPv6 PTBs and IPv6 frag filtering (particularly at BGP peers)
  - From: fgont at si6networks.com (Fernando Gont)

Prev by Date: ICMPv6 PTBs and IPv6 frag filtering (particularly at BGP peers)
Next by Date: ICMPv6 PTBs and IPv6 frag filtering (particularly at BGP peers)
Previous by thread: ICMPv6 PTBs and IPv6 frag filtering (particularly at BGP peers)
Next by thread: ICMPv6 PTBs and IPv6 frag filtering (particularly at BGP peers)
Index(es):
- Date
- Thread