ICMPv6 PTBs and IPv6 frag filtering (particularly at BGP peers)
Fernando Gont
fgont at si6networks.com
Thu Jan 12 15:02:05 UTC 2017
Hi, Saku,
On 01/12/2017 11:43 AM, Saku Ytti wrote:
> On 12 January 2017 at 13:19, Fernando Gont <fgont at si6networks.com> wrote:
>
> Hey,
>
>> I'm curious about whether folks are normally filtering ICMPv6 PTB<1280
>> and/or IPv6 fragments targeted to BGP routers (off-list datapoints are
>> welcome).
>
> Generally may be understood differently by different people. If
> generally is defined as single most typical behaviour/configuration,
> then generally people don't protect their infrastructure in any way at
> all, but fully rely vendor doing something reasonable.
>
> I would argue BCP is to have 'strict' CoPP. Where you specifically
> allow what you must then have ultimate rule to deny everything. If you
> have such CoPP, then this attack won't work, as you clearly didn't
> allow any fragments at all (as you didn't expect to receive BGP
> fragments from your neighbours).
That's the point: If you don't allow fragments, but your peer honors
ICMPv6 PTB<1280, then dropping fragments creates the attack vector.
--
Fernando Gont
SI6 Networks
e-mail: fgont at si6networks.com
PGP Fingerprint: 6666 31C6 D484 63B2 8FB1 E3C4 AE25 0D55 1D4E 7492
More information about the NANOG
mailing list