Re: Dropping IPv6 Fragments

2012-10-05 Thread Benno Overeinder
On 10/04/2012 04:36 PM, Dobbins, Roland wrote: > > On Oct 4, 2012, at 9:26 PM, Sander Steffann wrote: > >> The closer you get to the edge the more common it might become... > > iACLs should be implemented at the network edge to drop all IPv4 and IPv6 > traffic - including non-initial fragments

Re: Dropping IPv6 Fragments

2012-10-05 Thread Mikael Abrahamsson
On Thu, 4 Oct 2012, Tom Taylor wrote: Who drops IPv6 fragments in their network, under what circumstances? People who run 7600 with SUP720 and who hasn't turned on a certain command. #platform ipv6 acl fragment hardwar

Re: Dropping IPv6 Fragments

2012-10-04 Thread Masataka Ohta
Fernando Gont wrote: > In the real world, such packets are not legitimate, so feel free to drop > them. draft-ietf-6man-oversized-header-chain formally addresses this issue. The ID misses the problem of 4->6 translator. That is, though the ID state: Entire IPv6 header chain: All protoc

Re: Dropping IPv6 Fragments

2012-10-04 Thread Mark Andrews
In message , Merik e Kaeo writes: > > On Oct 4, 2012, at 7:36 AM, Dobbins, Roland wrote: > > >=20 > > On Oct 4, 2012, at 9:26 PM, Sander Steffann wrote: > >=20 > >> The closer you get to the edge the more common it might become... > >=20 > > iACLs should be implemented at the network edge to dro

Re: Dropping IPv6 Fragments

2012-10-04 Thread Fernando Gont
Hi, Joel, On 10/04/2012 10:58 AM, joel jaeggli wrote: > So the thing I'd note is that stateless IPV6 ACLs or load balancing > provide you with an interesting problem since a fragment does not > contain the headers beyond the required unfragmentable headers. In the real world, such packets are not

Re: Dropping IPv6 Fragments

2012-10-04 Thread Merike Kaeo
On Oct 4, 2012, at 7:36 AM, Dobbins, Roland wrote: > > On Oct 4, 2012, at 9:26 PM, Sander Steffann wrote: > >> The closer you get to the edge the more common it might become... > > iACLs should be implemented at the network edge to drop all IPv4 and IPv6 > traffic - including non-initial frag

Re: Dropping IPv6 Fragments

2012-10-04 Thread joel jaeggli
On 10/4/12 8:15 AM, Dobbins, Roland wrote: On Oct 4, 2012, at 9:58 PM, joel jaeggli wrote: Likewise with the acl I have the property that the initial packet has all the info in it while the fragment does not. For iACLs, just filter non-initial fragments directed to infrastructure IPs. Cisco

Re: Dropping IPv6 Fragments

2012-10-04 Thread Dobbins, Roland
On Oct 4, 2012, at 9:58 PM, joel jaeggli wrote: > Likewise with the acl I have the property that the initial packet has > all the info in it while the fragment does not. For iACLs, just filter non-initial fragments directed to infrastructure IPs. Cisco & Juniper ACLs have ACL matching criter

Re: Dropping IPv6 Fragments

2012-10-04 Thread joel jaeggli
On 10/4/12 7:36 AM, Dobbins, Roland wrote: On Oct 4, 2012, at 9:26 PM, Sander Steffann wrote: The closer you get to the edge the more common it might become... iACLs should be implemented at the network edge to drop all IPv4 and IPv6 traffic - including non-initial fragments - directed toward

Re: Dropping IPv6 Fragments

2012-10-04 Thread Dobbins, Roland
On Oct 4, 2012, at 9:26 PM, Sander Steffann wrote: > The closer you get to the edge the more common it might become... iACLs should be implemented at the network edge to drop all IPv4 and IPv6 traffic - including non-initial fragments - directed towards point-to-point links, loopbacks, and oth

Re: Dropping IPv6 Fragments

2012-10-04 Thread Sander Steffann
Hi, >> Who drops IPv6 fragments in their network, under what circumstances? > > No one who offers working IP connections. > > Dropping IPv6 fragments against your control-plane, that is another > discussion, but dropping them in transit would be short-lived exercise. Dep

Re: Dropping IPv6 Fragments

2012-10-04 Thread Tom Taylor
On 04/10/2012 10:20 AM, Saku Ytti wrote: On (2012-10-04 10:16 -0400), Tom Taylor wrote: Who drops IPv6 fragments in their network, under what circumstances? No one who offers working IP connections. Dropping IPv6 fragments against your control-plane, that is another discussion, but dropping

Re: Dropping IPv6 Fragments

2012-10-04 Thread Saku Ytti
On (2012-10-04 10:16 -0400), Tom Taylor wrote: > Who drops IPv6 fragments in their network, under what circumstances? No one who offers working IP connections. Dropping IPv6 fragments against your control-plane, that is another discussion, but dropping them in transit would be short-li

Dropping IPv6 Fragments

2012-10-04 Thread Tom Taylor
Who drops IPv6 fragments in their network, under what circumstances? Tom Taylor