Dropping IPv6 Fragments

Dobbins, Roland rdobbins at arbor.net
Thu Oct 4 15:15:45 UTC 2012

On Oct 4, 2012, at 9:58 PM, joel jaeggli wrote:

> Likewise with the acl I have the property that the initial packet has 
> all the info in it while the fragment does not. 

For iACLs, just filter non-initial fragments directed to infrastructure IPs.  Cisco & Juniper ACLs have ACL matching criteria for non-initial fragments.

Roland Dobbins <rdobbins at arbor.net> // <http://www.arbornetworks.com>

	  Luck is the residue of opportunity and design.

		       -- John Milton

More information about the NANOG mailing list