Hi, Pekka, On 06/06/2011 07:43 AM, Pekka Savola wrote: >> RA-Guard is not a perfect solution to RA spoofing. It never will >> be. It has limitations (and always will). ND packets that using >> extension headers or fragmentation are just one specific example. > > This has happened with radvd.
You mean that at some point radvd was sending fragmented IPv6 traffic, even when it was "unexpected"? > There was one individual who very strongly insisted (by filing and > bugging about that in a bug report at Red Hat Bugzilla) that he must be > able to advertise his whole /48, i.e., 64K prefix information options. > That resulted in the implementation fragmenting packets at the IP > layer. Transport layer would fragmentation to multiple RAs would have > been possible as well but there was no point in implementing that. I > solved the "problem" by restricting radvd send buffer size to 1452B, so > both are prevented. I wouldn't be sad to see the RA transport/IP layer > fragmentation go. This is a good datapoint to have (i.e., radvd never sending fragmented ND traffic) -- I will try to include a note about this in the next rev of the I-D. Thanks! Best regards, -- Fernando Gont e-mail: ferna...@gont.com.ar || fg...@acm.org PGP Fingerprint: 7809 84F5 322E 45C7 F1C9 3945 96EE A9EF D076 FFF1 -------------------------------------------------------------------- IETF IPv6 working group mailing list ipv6@ietf.org Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6 --------------------------------------------------------------------