On 10/4/12 7:36 AM, Dobbins, Roland wrote:
On Oct 4, 2012, at 9:26 PM, Sander Steffann wrote:

The closer you get to the edge the more common it might become...
iACLs should be implemented at the network edge to drop all IPv4 and IPv6 
traffic - including non-initial fragments - directed towards point-to-point 
links, loopbacks, and other internal infrastructure with exceptions made for 
cases where there's a legitimate need for sources outside your network to be 
able to communicate with your infrastructure.

As mentioned previously on the thread, this has nothing to do with transit 
data-plane traffic, which should be left untouched unless it's specifically 
classified as attack traffic or other undesirable traffic.

There's an apparently common misperception that fragmented traffic is somehow 
bad.  It isn't.  It's normal, under most circumstances.  Protect your 
infrastructure proactively, deal with anything else on a case-by-case basis.

So the thing I'd note is that stateless IPV6 ACLs or load balancing provide you with an interesting problem since a fragment does not contain the headers beyond the required unfragmentable headers. it is possible but unlikely that the fragment will hash into the same bucket in a stateless load balancer (using what's left of 5-tuple).

Likewise with the acl I have the property that the initial packet has all the info in it while the fragment does not. I would have to reassemble the packet (which isn't going to happen in the place where the stateless acl is applied) prior to being able to decide to pass it or not (or just pass fragments through that acl).
-----------------------------------------------------------------------
Roland Dobbins <rdobb...@arbor.net> // <http://www.arbornetworks.com>

          Luck is the residue of opportunity and design.

                       -- John Milton





Reply via email to