Dropping IPv6 Fragments

Fernando Gont fernando at gont.com.ar
Thu Oct 4 19:15:46 UTC 2012


Hi, Joel,

On 10/04/2012 10:58 AM, joel jaeggli wrote:
> So the thing I'd note is that stateless IPV6 ACLs or load balancing
> provide you with an interesting problem since a fragment does not
> contain the headers beyond the required unfragmentable headers.

In the real world, such packets are not legitimate, so feel free to drop
them. draft-ietf-6man-oversized-header-chain formally addresses this issue.


> Likewise with the acl I have the property that the initial packet has
> all the info in it while the fragment does not.

You're talking about initial-fragment vs non-initial fragments? -- If
so, in theory *both* might be missing the upper layer information. IN
practice, the first-fragment won't. If it does, feel free to drop it.

Cheers,
-- 
Fernando Gont
e-mail: fernando at gont.com.ar || fgont at si6networks.com
PGP Fingerprint: 7809 84F5 322E 45C7 F1C9 3945 96EE A9EF D076 FFF1






More information about the NANOG mailing list