Dropping IPv6 Fragments

Merike Kaeo merike at doubleshotsecurity.com
Thu Oct 4 17:42:31 UTC 2012

On Oct 4, 2012, at 7:36 AM, Dobbins, Roland wrote:

> On Oct 4, 2012, at 9:26 PM, Sander Steffann wrote:
>> The closer you get to the edge the more common it might become...
> iACLs should be implemented at the network edge to drop all IPv4 and IPv6 traffic - including non-initial fragments - directed towards point-to-point links, loopbacks, and other internal infrastructure with exceptions made for cases where there's a legitimate need for sources outside your network to be able to communicate with your infrastructure.
> As mentioned previously on the thread, this has nothing to do with transit data-plane traffic, which should be left untouched unless it's specifically classified as attack traffic or other undesirable traffic.


> There's an apparently common misperception that fragmented traffic is somehow bad.  It isn't.  It's normal, under most circumstances.  Protect your infrastructure proactively, deal with anything else on a case-by-case basis.

Same misconception as ICMP is bad....historical artifact from attacks in early 90's that just perpetuate in mythical best practice.    

I was just investigating with varying folks whether they also log v6 fragment filtering exceptions and whether anyone has seen anything 'interesting' :)  Nothing interesting yet. 

I'm co-authoring a doc in IETF which consolidates v6 security practices and looks to provide info for what current BCP is as folks are more actively deploying v6.  Was just at RIPE to get input from that operator community and want to solicit input here as well.  

Doc is at: http://tools.ietf.org/html/draft-ietf-opsec-v6-00

Feedback on mailing list would be great: https://www.ietf.org/mailman/listinfo/opsec   but, if easier to send email to authors just do so directly and we'll incorporate and vet appropriately.  All 3 authors follow quite a few *NOG lists and have been involved in deployments so hopefully this can help educate the less informed.

- merike
> -----------------------------------------------------------------------
> Roland Dobbins <rdobbins at arbor.net> // <http://www.arbornetworks.com>
> 	  Luck is the residue of opportunity and design.
> 		       -- John Milton

More information about the NANOG mailing list