On Thu, 4 Oct 2012, Tom Taylor wrote:
Who drops IPv6 fragments in their network, under what circumstances?
People who run 7600 with SUP720 and who hasn't turned on a certain
command.
http://mailman.nanog.org/pipermail/nanog/2011-September/040653.html
#platform ipv6 acl fragment hardware
On 10/04/2012 04:36 PM, Dobbins, Roland wrote:
On Oct 4, 2012, at 9:26 PM, Sander Steffann wrote:
The closer you get to the edge the more common it might become...
iACLs should be implemented at the network edge to drop all IPv4 and IPv6
traffic - including non-initial fragments -
Who drops IPv6 fragments in their network, under what circumstances?
Tom Taylor
On (2012-10-04 10:16 -0400), Tom Taylor wrote:
Who drops IPv6 fragments in their network, under what circumstances?
No one who offers working IP connections.
Dropping IPv6 fragments against your control-plane, that is another
discussion, but dropping them in transit would be short-lived
On 04/10/2012 10:20 AM, Saku Ytti wrote:
On (2012-10-04 10:16 -0400), Tom Taylor wrote:
Who drops IPv6 fragments in their network, under what circumstances?
No one who offers working IP connections.
Dropping IPv6 fragments against your control-plane, that is another
discussion, but dropping
Hi,
Who drops IPv6 fragments in their network, under what circumstances?
No one who offers working IP connections.
Dropping IPv6 fragments against your control-plane, that is another
discussion, but dropping them in transit would be short-lived exercise.
Depends on where you are looking
On Oct 4, 2012, at 9:26 PM, Sander Steffann wrote:
The closer you get to the edge the more common it might become...
iACLs should be implemented at the network edge to drop all IPv4 and IPv6
traffic - including non-initial fragments - directed towards point-to-point
links, loopbacks, and
On 10/4/12 7:36 AM, Dobbins, Roland wrote:
On Oct 4, 2012, at 9:26 PM, Sander Steffann wrote:
The closer you get to the edge the more common it might become...
iACLs should be implemented at the network edge to drop all IPv4 and IPv6
traffic - including non-initial fragments - directed
On Oct 4, 2012, at 9:58 PM, joel jaeggli wrote:
Likewise with the acl I have the property that the initial packet has
all the info in it while the fragment does not.
For iACLs, just filter non-initial fragments directed to infrastructure IPs.
Cisco Juniper ACLs have ACL matching criteria
On 10/4/12 8:15 AM, Dobbins, Roland wrote:
On Oct 4, 2012, at 9:58 PM, joel jaeggli wrote:
Likewise with the acl I have the property that the initial packet has
all the info in it while the fragment does not.
For iACLs, just filter non-initial fragments directed to infrastructure IPs. Cisco
On Oct 4, 2012, at 7:36 AM, Dobbins, Roland wrote:
On Oct 4, 2012, at 9:26 PM, Sander Steffann wrote:
The closer you get to the edge the more common it might become...
iACLs should be implemented at the network edge to drop all IPv4 and IPv6
traffic - including non-initial fragments -
Hi, Joel,
On 10/04/2012 10:58 AM, joel jaeggli wrote:
So the thing I'd note is that stateless IPV6 ACLs or load balancing
provide you with an interesting problem since a fragment does not
contain the headers beyond the required unfragmentable headers.
In the real world, such packets are not
In message c7e7de67-f668-45b4-9d64-2058400dc...@doubleshotsecurity.com, Merik
e Kaeo writes:
On Oct 4, 2012, at 7:36 AM, Dobbins, Roland wrote:
=20
On Oct 4, 2012, at 9:26 PM, Sander Steffann wrote:
=20
The closer you get to the edge the more common it might become...
=20
iACLs
Fernando Gont wrote:
In the real world, such packets are not legitimate, so feel free to drop
them. draft-ietf-6man-oversized-header-chain formally addresses this issue.
The ID misses the problem of 4-6 translator.
That is, though the ID state:
Entire IPv6 header chain:
All protocol
14 matches
Mail list logo