v6 DNSSEC fail, was Buying IPv4 blocks
lists.nanog at monmotha.net
Fri Oct 5 20:43:24 UTC 2018
On 10/5/18 3:16 AM, Mark Andrews wrote:
> So require frag 0 to have what you require to do the filtering. Most stacks send maximal sized initial fragments up to 1280 bytes. For DNS the UDP header will be there as there is at least 8 bytes of fragmented packet. Additionally reassembly attacks are much harder as there is 32 bits of fragmentation identifier rather than 16 in IPv4.
> IPv6 fragmentation was designed with knowledge of the IPv4 reassembly attacks in mind.
You'll get no argument from me, here. This is not new nor are ways to
deal with it unknown. Despite that, it's a common reason I hear for
just blindly dropping all fragments. Personally, I consider such
devices/stacks broken, but that doesn't mean we don't have to deal with
More information about the NANOG