Dropping IPv6 Fragments
fernando at gont.com.ar
Thu Oct 4 19:15:46 UTC 2012
On 10/04/2012 10:58 AM, joel jaeggli wrote:
> So the thing I'd note is that stateless IPV6 ACLs or load balancing
> provide you with an interesting problem since a fragment does not
> contain the headers beyond the required unfragmentable headers.
In the real world, such packets are not legitimate, so feel free to drop
them. draft-ietf-6man-oversized-header-chain formally addresses this issue.
> Likewise with the acl I have the property that the initial packet has
> all the info in it while the fragment does not.
You're talking about initial-fragment vs non-initial fragments? -- If
so, in theory *both* might be missing the upper layer information. IN
practice, the first-fragment won't. If it does, feel free to drop it.
e-mail: fernando at gont.com.ar || fgont at si6networks.com
PGP Fingerprint: 7809 84F5 322E 45C7 F1C9 3945 96EE A9EF D076 FFF1
More information about the NANOG