On Thu, 10 Dec 2009 09:39:33 +0100, Jonas Thambert wrote: >Like a month ago we got a complain from a user that our website >was unreachable over IPv6. We have 2x Native Ipv6 transits. The user >had bought IPv6 from an ISP thay uses tunneling to deliver it >to the organization. After some packet traces we found out that the >problem was in PF and that it doesn't seem to handle fragmented IPv6 >packets. > >Sure enough, from the man page of pf.conf: > >"Currently, only IPv4 fragments are supported and IPv6 fragments are > blocked unconditionally." > >The problem is that some of Swedens largest ISPs uses tunneling for IPv6 >to their customers so we can't just say, ditch em. Terredo seems to work fine. > >Is there a workaround or plans to implement support for this is pf? We have >multiple >firewalls and the others have no problems with ipv6 + fragmented packets. >
I have an IPv6 over IPv4 connection. I once had two, one using a hexago tunnel and the other I still have using a Hurricane Electric one. I have never had a problem connecting through OpenBSD with a pf firewall to native IPv6 sites like Google's v6 or the hosts on the /32 IPv6 netblock I maintain using an OpenBSD / OpenBGPd router. Maybe I'm just lucky. I'm a bit confused as to why packets need to be fragmented on IPv6 other than to play DDOS games. Nobody needs packets bigger than the specified minumum (1280B) and the usual problem is a PMTUD blackhole anyway. Don't you just love all those cretins that block all ICMP packets on IPv4? They can stuff up IPv6 too. There is some advice about debugging this kind of problem in van Beijnum's "Running IPv6". Try starting with that or finding out why there are oversized packets there anyway. The real fly in the ointment is the stupid way one can frag packets madly in IPv6 with mayhem in mind. * If you want to allow reassembly you have to figure out what to do about mailicious frags which can exhaust your RAM quite easily. * See http://www.ruxcon.org.au/files/2006/dowd_ipv6.ppt I'm too tired to reread this to see if it all makes sense but if I left it until I was fresher I'd have forgotten to reply ;-) Hope you can get some good out of it ??????? Regards, *** NOTE *** Please DO NOT CC me. I <am> subscribed to the list. Mail to the sender address that does not originate at the list server is tarpitted. The reply-to: address is provided for those who feel compelled to reply off list. Thankyou. Rod/ --- This life is not the real thing. It is not even in Beta. If it was, then OpenBSD would already have a man page for it.
