ICMPv6 PTBs and IPv6 frag filtering (particularly at BGP peers)

• Previous message (by thread): ICMPv6 PTBs and IPv6 frag filtering (particularly at BGP peers)
• Next message (by thread): ICMPv6 PTBs and IPv6 frag filtering (particularly at BGP peers)
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hi, Saku,

On 01/12/2017 11:43 AM, Saku Ytti wrote:
> On 12 January 2017 at 13:19, Fernando Gont <fgont at si6networks.com> wrote:
> 
> Hey,
> 
>> I'm curious about whether folks are normally filtering ICMPv6 PTB<1280
>> and/or IPv6 fragments targeted to BGP routers (off-list datapoints are
>> welcome).
> 
> Generally may be understood differently by different people. If
> generally is defined as single most typical behaviour/configuration,
> then generally people don't protect their infrastructure in any way at
> all, but fully rely vendor doing something reasonable.
> 
> I would argue BCP is to have 'strict' CoPP. Where you specifically
> allow what you must then have ultimate rule to deny everything. If you
> have such CoPP, then this attack won't work, as you clearly didn't
> allow any fragments at all (as you didn't expect to receive BGP
> fragments from your neighbours).

That's the point: If you don't allow fragments, but your peer honors
ICMPv6 PTB<1280, then dropping fragments creates the attack vector.

-- 
Fernando Gont
SI6 Networks
e-mail: fgont at si6networks.com
PGP Fingerprint: 6666 31C6 D484 63B2 8FB1 E3C4 AE25 0D55 1D4E 7492

• Previous message (by thread): ICMPv6 PTBs and IPv6 frag filtering (particularly at BGP peers)
• Next message (by thread): ICMPv6 PTBs and IPv6 frag filtering (particularly at BGP peers)
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]