On 09/21/2017 06:50 AM, Paul Vixie wrote:
both ideas are wrong. what we have to do is arrange to fragment, using the ipv6 extension header, all ipv6 udp, for a period of not less than five years. noone who blocks ipv6 extension headers should be able to get reliable ipv6 udp services. we have to make this problem felt where it is made. we must NOT work around it to insulate the makers of the problem from the costs of their actions.
I disagree with this approach. Just avoid fragmentation altogether. We know that it's harmful and can be used to bypass existing DNS hardening features. Within five or ten years, packet rates have increased so much that the additional protection afforded by the 32-bit reassembly ID in IPv6 isn't sufficient anymore, either.
IP fragmentation is dead. Use something else. Thanks, Florian _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
