Dropping IPv6 Fragments
Dobbins, Roland
rdobbins at arbor.net
Thu Oct 4 15:15:45 UTC 2012
On Oct 4, 2012, at 9:58 PM, joel jaeggli wrote:
> Likewise with the acl I have the property that the initial packet has
> all the info in it while the fragment does not.
For iACLs, just filter non-initial fragments directed to infrastructure IPs. Cisco & Juniper ACLs have ACL matching criteria for non-initial fragments.
-----------------------------------------------------------------------
Roland Dobbins <rdobbins at arbor.net> // <http://www.arbornetworks.com>
Luck is the residue of opportunity and design.
-- John Milton
More information about the NANOG
mailing list