ICMPv6 PTBs and IPv6 frag filtering (particularly at BGP peers)

• Previous message (by thread): ICMPv6 PTBs and IPv6 frag filtering (particularly at BGP peers)
• Next message (by thread): ICMPv6 PTBs and IPv6 frag filtering (particularly at BGP peers)
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

In message <11ff128d-2fba-7c26-4a9c-5611433d85d2 at si6networks.com>, Fernando Gon
t writes:
> Hi, Saku,
> 
> On 01/12/2017 11:43 AM, Saku Ytti wrote:
> > On 12 January 2017 at 13:19, Fernando Gont <fgont at si6networks.com> wrote:
> > 
> > Hey,
> > 
> >> I'm curious about whether folks are normally filtering ICMPv6 PTB<1280
> >> and/or IPv6 fragments targeted to BGP routers (off-list datapoints are
> >> welcome).
> > 
> > Generally may be understood differently by different people. If
> > generally is defined as single most typical behaviour/configuration,
> > then generally people don't protect their infrastructure in any way at
> > all, but fully rely vendor doing something reasonable.
> > 
> > I would argue BCP is to have 'strict' CoPP. Where you specifically
> > allow what you must then have ultimate rule to deny everything. If you
> > have such CoPP, then this attack won't work, as you clearly didn't
> > allow any fragments at all (as you didn't expect to receive BGP
> > fragments from your neighbours).
> 
> That's the point: If you don't allow fragments, but your peer honors
> ICMPv6 PTB<1280, then dropping fragments creates the attack vector.

And fragments are a *normal* part of IP for both IPv4 and IPv6.
This obsession with dropping all fragments (and yes it is a obsession)
is breaking the internet.

Even if you don't want to allow all fragments through you can allow
fragments between the two endpoints of a "active" connection.  You
can apply port filters to the offset 0 fragments.  If that fragment
doesn't have enough headers to be able to filter then drop it.  If
your firewall is incapable of doing this then find a better firewall
as the current one is a piece of garbage and should be in the recycle
bin.

Which DoS is the bigger issue?  Firewalls dropping fragments or
reassembly buffers being exhausted?  Yes, firewalls dropping fragments
is a denial of service attack.

The initial TCP exchange does not contain fragments.  Most UDP
protocols don't start with a packet that will need to be fragmented.
For other protocols YMMV.

Mark

> -- 
> Fernando Gont
> SI6 Networks
> e-mail: fgont at si6networks.com
> PGP Fingerprint: 6666 31C6 D484 63B2 8FB1 E3C4 AE25 0D55 1D4E 7492
> 
> 
> 
> 
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka at isc.org

• Previous message (by thread): ICMPv6 PTBs and IPv6 frag filtering (particularly at BGP peers)
• Next message (by thread): ICMPv6 PTBs and IPv6 frag filtering (particularly at BGP peers)
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]