ICMPv6 PTBs and IPv6 frag filtering (particularly at BGP peers)

• Previous message (by thread): ICMPv6 PTBs and IPv6 frag filtering (particularly at BGP peers)
• Next message (by thread): ICMPv6 PTBs and IPv6 frag filtering (particularly at BGP peers)
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On 12 January 2017 at 13:19, Fernando Gont <fgont at si6networks.com> wrote:

Hey,

> I'm curious about whether folks are normally filtering ICMPv6 PTB<1280
> and/or IPv6 fragments targeted to BGP routers (off-list datapoints are
> welcome).

Generally may be understood differently by different people. If
generally is defined as single most typical behaviour/configuration,
then generally people don't protect their infrastructure in any way at
all, but fully rely vendor doing something reasonable.

I would argue BCP is to have 'strict' CoPP. Where you specifically
allow what you must then have ultimate rule to deny everything. If you
have such CoPP, then this attack won't work, as you clearly didn't
allow any fragments at all (as you didn't expect to receive BGP
fragments from your neighbours).

-- 
  ++ytti

• Previous message (by thread): ICMPv6 PTBs and IPv6 frag filtering (particularly at BGP peers)
• Next message (by thread): ICMPv6 PTBs and IPv6 frag filtering (particularly at BGP peers)
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]