ICMPv6 PTBs and IPv6 frag filtering (particularly at BGP peers)

Saku Ytti saku at ytti.fi
Thu Jan 12 14:43:06 UTC 2017

On 12 January 2017 at 13:19, Fernando Gont <fgont at si6networks.com> wrote:


> I'm curious about whether folks are normally filtering ICMPv6 PTB<1280
> and/or IPv6 fragments targeted to BGP routers (off-list datapoints are
> welcome).

Generally may be understood differently by different people. If
generally is defined as single most typical behaviour/configuration,
then generally people don't protect their infrastructure in any way at
all, but fully rely vendor doing something reasonable.

I would argue BCP is to have 'strict' CoPP. Where you specifically
allow what you must then have ultimate rule to deny everything. If you
have such CoPP, then this attack won't work, as you clearly didn't
allow any fragments at all (as you didn't expect to receive BGP
fragments from your neighbours).


More information about the NANOG mailing list