v6 DNSSEC fail, was Buying IPv4 blocks

Brandon Martin lists.nanog at monmotha.net
Fri Oct 5 20:43:24 UTC 2018

On 10/5/18 3:16 AM, Mark Andrews wrote:
> So require frag 0 to have what you require to do the filtering. Most stacks send maximal sized initial fragments up to 1280 bytes. For DNS the UDP header will be there as there is at least 8 bytes of fragmented packet.  Additionally reassembly attacks are much harder as there is 32 bits of fragmentation identifier rather than 16 in IPv4.
> IPv6 fragmentation was designed with knowledge of the IPv4 reassembly attacks in mind.

You'll get no argument from me, here.  This is not new nor are ways to 
deal with it unknown.  Despite that, it's a common reason I hear for 
just blindly dropping all fragments.  Personally, I consider such 
devices/stacks broken, but that doesn't mean we don't have to deal with 
them, unfortunately.

Brandon Martin

More information about the NANOG mailing list