Re: [v6ops] Some stats on IPv6 fragments and EH filtering on the Internet
Ole Troan <otroan@employees.org> Tue, 05 November 2013 12:54 UTC
Return-Path: <otroan@employees.org>
X-Original-To: v6ops@ietfa.amsl.com
Delivered-To: v6ops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 18BC611E82A5 for <v6ops@ietfa.amsl.com>; Tue, 5 Nov 2013 04:54:41 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -10.527
X-Spam-Level:
X-Spam-Status: No, score=-10.527 tagged_above=-999 required=5 tests=[AWL=0.072, BAYES_00=-2.599, RCVD_IN_DNSWL_HI=-8]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id E-Ze6rUsY9nF for <v6ops@ietfa.amsl.com>; Tue, 5 Nov 2013 04:54:35 -0800 (PST)
Received: from ams-iport-1.cisco.com (ams-iport-1.cisco.com [144.254.224.140]) by ietfa.amsl.com (Postfix) with ESMTP id F0D9F21F9F2B for <v6ops@ietf.org>; Tue, 5 Nov 2013 04:54:34 -0800 (PST)
X-Files: signature.asc : 496
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: AhQFADrqeFKQ/khM/2dsb2JhbABZgwfARYEpFnSCJQEBBAF5EAtGVwaIDga+MI9ZB4MggQ8DkC6ZZYMnOw
X-IronPort-AV: E=Sophos; i="4.93,640,1378857600"; d="asc'?scan'208"; a="161412032"
Received: from ams-core-3.cisco.com ([144.254.72.76]) by ams-iport-1.cisco.com with ESMTP; 05 Nov 2013 12:54:12 +0000
Received: from dhcp-lys02-vla252-10-147-116-88.cisco.com (dhcp-lys02-vla252-10-147-116-88.cisco.com [10.147.116.88]) by ams-core-3.cisco.com (8.14.5/8.14.5) with ESMTP id rA5Cs8Ih001938 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=NO); Tue, 5 Nov 2013 12:54:09 GMT
Content-Type: multipart/signed; boundary="Apple-Mail=_3476B8CE-527B-4FD0-B567-034818E251F0"; protocol="application/pgp-signature"; micalg="pgp-sha512"
Mime-Version: 1.0 (Mac OS X Mail 7.0 \(1816\))
From: Ole Troan <otroan@employees.org>
In-Reply-To: <5278E986.9050409@inex.ie>
Date: Tue, 05 Nov 2013 13:54:08 +0100
Message-Id: <C1BEE5D4-FDC2-4E4B-947D-CEC9E4F05E5D@employees.org>
References: <5278275C.50206@gont.com.ar> <alpine.DEB.2.02.1311050028410.26054@uplift.swm.pp.se> <52783535.9030200@si6networks.com> <20131105001243.53E28985D0D@rock.dv.isc.org> <527839C6.3000805@viagenie.ca> <2134F8430051B64F815C691A62D98318148100@XCH-BLV-504.nw.nos.boeing.com> <F4AB804C-2C8E-40EF-ACE9-0A901E4F5122@employees.org> <52784DD1.7020106@gont.com.ar> <BD308F06-C9E2-42EB-9D23-CFD3432F1A1D@employees.org> <52785F34.6020606@si6networks.com> <A9F99218-AB14-45AA-B29D-7E1D7E4B93FC@employees.org> <5278E639.3040606@inex.ie> <C4864CA1-C8F4-45D6-944A-0E8BA073D4A7@employees.org> <5278E986.9050409@inex.ie>
To: Nick Hilliard <nick@inex.ie>
X-Mailer: Apple Mail (2.1816)
Cc: Fernando Gont <fgont@si6networks.com>, "v6ops@ietf.org" <v6ops@ietf.org>, Fernando Gont <fernando@gont.com.ar>
Subject: Re: [v6ops] Some stats on IPv6 fragments and EH filtering on the Internet
X-BeenThere: v6ops@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: v6ops discussion list <v6ops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/v6ops>, <mailto:v6ops-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/v6ops>
List-Post: <mailto:v6ops@ietf.org>
List-Help: <mailto:v6ops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/v6ops>, <mailto:v6ops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 05 Nov 2013 12:54:41 -0000
Nick, >> if you use one of these in the Internet core I cannot see any other choice than to >> allow forwarding of fragments. > > no, drop! Because otherwise your infrastructure is wide open to control > plane attacks with ipv6 frags, with no means of defence! If that happens, > then your entire network falls over. why don't you filter out packets on the edge destined to your router's addresses? instead of what's effectively breaking IPv6 service across the network. cheers, Ole
- Re: [v6ops] Some stats on IPv6 fragments and EH f… Simon Perreault
- Re: [v6ops] Some stats on IPv6 fragments and EH f… Mark Andrews
- [v6ops] Some stats on IPv6 fragments and EH filte… Fernando Gont
- Re: [v6ops] Some stats on IPv6 fragments and EH f… Tim Chown
- Re: [v6ops] Some stats on IPv6 fragments and EH f… Mikael Abrahamsson
- Re: [v6ops] Some stats on IPv6 fragments and EH f… Fernando Gont
- Re: [v6ops] Some stats on IPv6 fragments and EH f… Mikael Abrahamsson
- Re: [v6ops] Some stats on IPv6 fragments and EH f… Templin, Fred L
- Re: [v6ops] Some stats on IPv6 fragments and EH f… Joe Touch
- Re: [v6ops] Some stats on IPv6 fragments and EH f… Ole Troan
- Re: [v6ops] Some stats on IPv6 fragments and EH f… Tim Chown
- Re: [v6ops] Some stats on IPv6 fragments and EH f… Jen Linkova
- Re: [v6ops] Some stats on IPv6 fragments and EH f… Fernando Gont
- Re: [v6ops] Some stats on IPv6 fragments and EH f… Fernando Gont
- Re: [v6ops] Some stats on IPv6 fragments and EH f… Mikael Abrahamsson
- Re: [v6ops] Some stats on IPv6 fragments and EH f… Tim Chown
- Re: [v6ops] Some stats on IPv6 fragments and EH f… Ole Troan
- Re: [v6ops] Some stats on IPv6 fragments and EH f… Templin, Fred L
- Re: [v6ops] Some stats on IPv6 fragments and EH f… Fernando Gont
- Re: [v6ops] Some stats on IPv6 fragments and EH f… Tim Chown
- Re: [v6ops] Some stats on IPv6 fragments and EH f… Templin, Fred L
- Re: [v6ops] Some stats on IPv6 fragments and EH f… Fernando Gont
- Re: [v6ops] Some stats on IPv6 fragments and EH f… Fernando Gont
- Re: [v6ops] Some stats on IPv6 fragments and EH f… Jen Linkova
- Re: [v6ops] Some stats on IPv6 fragments and EH f… Ole Troan
- Re: [v6ops] Some stats on IPv6 fragments and EH f… Tim Chown
- Re: [v6ops] Some stats on IPv6 fragments and EH f… Ole Troan
- Re: [v6ops] Some stats on IPv6 fragments and EH f… Gert Doering
- Re: [v6ops] (RIPE Atlas) Some stats on IPv6 fragm… Vesna Manojlovic
- Re: [v6ops] Some stats on IPv6 fragments and EH f… Nick Hilliard
- Re: [v6ops] Some stats on IPv6 fragments and EH f… Nick Hilliard
- Re: [v6ops] Some stats on IPv6 fragments and EH f… Ole Troan
- Re: [v6ops] Some stats on IPv6 fragments and EH f… Nick Hilliard
- Re: [v6ops] Some stats on IPv6 fragments and EH f… Brian E Carpenter
- Re: [v6ops] Some stats on IPv6 fragments and EH f… Jared Mauch
- Re: [v6ops] Some stats on IPv6 fragments and EH f… joel jaeggli
- Re: [v6ops] Some stats on IPv6 fragments and EH f… Nick Hilliard
- Re: [v6ops] Some stats on IPv6 fragments and EH f… Brian E Carpenter
- Re: [v6ops] Some stats on IPv6 fragments and EH f… sthaug
- Re: [v6ops] Some stats on IPv6 fragments and EH f… Templin, Fred L
- Re: [v6ops] Some stats on IPv6 fragments and EH f… Simon Perreault
- Re: [v6ops] Some stats on IPv6 fragments and EH f… Mikael Abrahamsson
- Re: [v6ops] Some stats on IPv6 fragments and EH f… Joe Touch
- Re: [v6ops] Some stats on IPv6 fragments and EH f… Fernando Gont
- Re: [v6ops] Some stats on IPv6 fragments and EH f… Mikael Abrahamsson
- Re: [v6ops] Some stats on IPv6 fragments and EH f… joel jaeggli
- Re: [v6ops] Some stats on IPv6 fragments and EH f… Simon Perreault
- Re: [v6ops] Some stats on IPv6 fragments and EH f… Pedro Torres
- Re: [v6ops] Some stats on IPv6 fragments and EH f… Hannes Frederic Sowa
- Re: [v6ops] Some stats on IPv6 fragments and EH f… Ronald Bonica
- Re: [v6ops] Some stats on IPv6 fragments and EH f… Brian E Carpenter
- Re: [v6ops] Some stats on IPv6 fragments and EH f… Ronald Bonica
- Re: [v6ops] Some stats on IPv6 fragments and EH f… Brian E Carpenter