Re: [v6ops] Some stats on IPv6 fragments and EH filtering on the Internet

Simon Perreault <simon.perreault@viagenie.ca> Thu, 07 November 2013 19:15 UTC

Return-Path: <simon.perreault@viagenie.ca>
X-Original-To: v6ops@ietfa.amsl.com
Delivered-To: v6ops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id F2EE111E822F for <v6ops@ietfa.amsl.com>; Thu, 7 Nov 2013 11:15:54 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.6
X-Spam-Level:
X-Spam-Status: No, score=-2.6 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, NO_RELAYS=-0.001]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id vMglWRnINubB for <v6ops@ietfa.amsl.com>; Thu, 7 Nov 2013 11:15:49 -0800 (PST)
Received: from jazz.viagenie.ca (jazz.viagenie.ca [IPv6:2620:0:230:8000::2]) by ietfa.amsl.com (Postfix) with ESMTP id 9769F21E80DF for <v6ops@ietf.org>; Thu, 7 Nov 2013 11:15:49 -0800 (PST)
Received: from porto.nomis80.org (unknown [IPv6:2620:0:230:2001::1000]) by jazz.viagenie.ca (Postfix) with ESMTPSA id 97BB8403DB for <v6ops@ietf.org>; Thu, 7 Nov 2013 14:15:42 -0500 (EST)
Message-ID: <527BE6DD.7070609@viagenie.ca>
Date: Thu, 07 Nov 2013 11:15:41 -0800
From: Simon Perreault <simon.perreault@viagenie.ca>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20100101 Thunderbird/24.1.0
MIME-Version: 1.0
To: v6ops@ietf.org
References: <5278275C.50206@gont.com.ar> <alpine.DEB.2.02.1311050028410.26054@uplift.swm.pp.se> <52783535.9030200@si6networks.com> <20131105001243.53E28985D0D@rock.dv.isc.org> <527839C6.3000805@viagenie.ca> <2134F8430051B64F815C691A62D98318148100@XCH-BLV-504.nw.nos.boeing.com> <F4AB804C-2C8E-40EF-ACE9-0A901E4F5122@employees.org> <52784DD1.7020106@gont.com.ar> <BD308F06-C9E2-42EB-9D23-CFD3432F1A1D@employees.org> <52785F34.6020606@si6networks.com> <A9F99218-AB14-45AA-B29D-7E1D7E4B93FC@employees.org> <5278E639.3040606@inex.ie> <C4864CA1-C8F4-45D6-944A-0E8BA073D4A7@employees.org> <5278E986.9050409@inex.ie> <C1BEE5D4-FDC2-4E4B-947D-CEC9E4F05E5D@employees.org> <1CC52A18-ADA1-4987-9AB4-2D6C75379AA8@bogus.com>
In-Reply-To: <1CC52A18-ADA1-4987-9AB4-2D6C75379AA8@bogus.com>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 8bit
Subject: Re: [v6ops] Some stats on IPv6 fragments and EH filtering on the Internet
X-BeenThere: v6ops@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: v6ops discussion list <v6ops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/v6ops>, <mailto:v6ops-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/v6ops>
List-Post: <mailto:v6ops@ietf.org>
List-Help: <mailto:v6ops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/v6ops>, <mailto:v6ops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 07 Nov 2013 19:15:55 -0000

Le 2013-11-07 11:05, joel jaeggli a écrit :
>>>> if you use one of these in the Internet core I cannot see any other choice than to
>>>> allow forwarding of fragments.
>>>
>>> no, drop!  Because otherwise your infrastructure is wide open to control
>>> plane attacks with ipv6 frags, with no means of defence!  If that happens,
>>> then your entire network falls over.
>>
>> why don't you filter out packets on the edge destined to your router's addresses?
>> instead of what's effectively breaking IPv6 service across the network.
>
> my routers actually do process unsolicited packets from from the internet (icmp echo for example, packets of any variety with a ttl of 1) and do need the control plane acl that reflects that.

Why is passing ICMP echos to the CP acceptable, and passing fragments to 
the CP is not acceptable?

Simon
-- 
DTN made easy, lean, and smart --> http://postellation.viagenie.ca
NAT64/DNS64 open-source        --> http://ecdysis.viagenie.ca
STUN/TURN server               --> http://numb.viagenie.ca