Thanks Rod for your input. We use pf as a firewall, and when we get the users IPv6 packets they are already fragmented. Native IPv6 and Terredo tunnels does not get fragmented on the way to us.
I will read up on your links ;) // Jonas > I have an IPv6 over IPv4 connection. I once had two, one using a hexago > tunnel and the other I still have using a Hurricane Electric one. > > I have never had a problem connecting through OpenBSD with a pf > firewall to native IPv6 sites like Google's v6 or the hosts on the /32 > IPv6 netblock I maintain using an OpenBSD / OpenBGPd router. > > Maybe I'm just lucky. I'm a bit confused as to why packets need to be > fragmented on IPv6 other than to play DDOS games. Nobody needs packets > bigger than the specified minumum (1280B) and the usual problem is a > PMTUD blackhole anyway. > > Don't you just love all those cretins that block all ICMP packets on > IPv4? They can stuff up IPv6 too. > > There is some advice about debugging this kind of problem in van > Beijnum's "Running IPv6". Try starting with that or finding out why > there are oversized packets there anyway. > > The real fly in the ointment is the stupid way one can frag packets > madly in IPv6 with mayhem in mind. * > > If you want to allow reassembly you have to figure out what to do about > mailicious frags which can exhaust your RAM quite easily. > > * See http://www.ruxcon.org.au/files/2006/dowd_ipv6.ppt > > I'm too tired to reread this to see if it all makes sense but if I left > it until I was fresher I'd have forgotten to reply ;-) Hope you can get > some good out of it ??????? > > Regards, > > > > *** NOTE *** Please DO NOT CC me. I <am> subscribed to the list. > Mail to the sender address that does not originate at the list server is > tarpitted. The reply-to: address is provided for those who feel compelled to > reply off list. Thankyou. > > Rod/ > --- > This life is not the real thing. > It is not even in Beta. > If it was, then OpenBSD would already have a man page for it. > -- Jonas Thambert CISSP, CISA, CISM Swedish IT Incident Centre, GovCERT-SE AS41884 National Post and Telecom Agency P O Box 5398, SE-102 49 Stockholm, Sweden Office address: Birger Jarlsgatan 16, Stockholm Tel dir: +46 8 678 57 65 Mob: +46 706 25 57 65 Op: +46 8 678 55 00 Fax: +46 8 678 55 05 SITIC: +46 8 678 5799 Mailto: jonas.thamb...@sitic.se http://www.sitic.se http://www.pts.se -- Get my PGP-Key at: http://www.sitic.se/jonas.thambert_at_sitic.se.asc
