On 10/4/12 7:36 AM, Dobbins, Roland wrote:
On Oct 4, 2012, at 9:26 PM, Sander Steffann wrote:
The closer you get to the edge the more common it might become...
iACLs should be implemented at the network edge to drop all IPv4 and IPv6
traffic - including non-initial fragments - directed towards point-to-point
links, loopbacks, and other internal infrastructure with exceptions made for
cases where there's a legitimate need for sources outside your network to be
able to communicate with your infrastructure.
As mentioned previously on the thread, this has nothing to do with transit
data-plane traffic, which should be left untouched unless it's specifically
classified as attack traffic or other undesirable traffic.
There's an apparently common misperception that fragmented traffic is somehow
bad. It isn't. It's normal, under most circumstances. Protect your
infrastructure proactively, deal with anything else on a case-by-case basis.
So the thing I'd note is that stateless IPV6 ACLs or load balancing
provide you with an interesting problem since a fragment does not
contain the headers beyond the required unfragmentable headers. it is
possible but unlikely that the fragment will hash into the same bucket
in a stateless load balancer (using what's left of 5-tuple).
Likewise with the acl I have the property that the initial packet has
all the info in it while the fragment does not. I would have to
reassemble the packet (which isn't going to happen in the place where
the stateless acl is applied) prior to being able to decide to pass it
or not (or just pass fragments through that acl).
-----------------------------------------------------------------------
Roland Dobbins <rdobb...@arbor.net> // <http://www.arbornetworks.com>
Luck is the residue of opportunity and design.
-- John Milton
