ICMPv6 "too-big" packets ignored (filtered ?) by Cloudflare farms

• Previous message (by thread): ICMPv6 "too-big" packets ignored (filtered ?) by Cloudflare farms
• Next message (by thread): ICMPv6 "too-big" packets ignored (filtered ?) by Cloudflare farms
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On 27/2/19 07:01, Jean-Daniel Pauget wrote:
>     hello,
> 
>     I confess using IPv6 behind a 6in4 tunnel because the "Business-Class" service
>     of the concerned operator doesn't handle IPv6 yet.
> 
>     as such, I realised that, as far as I can figure, ICMPv6 packet "too-big" (rfc 4443)
>     seem to be ignored or filtered at ~60% of ClouFlare's http farms
> 
>     as a result, random sites such as http://nanog.org/ or https://www.ansible.com/
>     are badly reachable whenever small mtu are involved ...
> 
>     support at cloudflare answered me that because I'm not the owner of concerned site,
>     and because of security reasons, they wouldn't investigate further.
> 
>     are there security concerns with ICMP-too-big ?

Please see: https://tools.ietf.org/html/rfc5927

and also: https://tools.ietf.org/html/rfc8021

Thanks,
-- 
Fernando Gont
SI6 Networks
e-mail: fgont at si6networks.com
PGP Fingerprint: 6666 31C6 D484 63B2 8FB1 E3C4 AE25 0D55 1D4E 7492

• Previous message (by thread): ICMPv6 "too-big" packets ignored (filtered ?) by Cloudflare farms
• Next message (by thread): ICMPv6 "too-big" packets ignored (filtered ?) by Cloudflare farms
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]