On 2009-12-10, Jonas Thambert <jonas.thamb...@sitic.se> wrote: > Like a month ago we got a complain from a user that our website > was unreachable over IPv6. We have 2x Native Ipv6 transits. The user > had bought IPv6 from an ISP thay uses tunneling to deliver it > to the organization. After some packet traces we found out that the > problem was in PF and that it doesn't seem to handle fragmented IPv6 > packets. > > Sure enough, from the man page of pf.conf: > > "Currently, only IPv4 fragments are supported and IPv6 fragments are > blocked unconditionally." > > The problem is that some of Swedens largest ISPs uses tunneling for IPv6 > to their customers so we can't just say, ditch em. Terredo seems to work fine. > > Is there a workaround or plans to implement support for this is pf?
the workaround is to reduce the MTU, or for TCP you can use scrub max-mss (1220 is a safe value to clamp MSS to; this equates to MTU 1280, which all IPv6 hosts are required to handle). as for plans, well it would be useful, but I think it basically comes down to somebody needing it badly enough that they either do the work themselves, or pay someone for it. > We have multiple > firewalls and the others have no problems with ipv6 + fragmented packets. some firewalls *may* just be enforcing policy on the first fragment and letting the subsequent fragments through without checking them, in which case they have a simpler job: no need for the fragment cache/reassembly that PF does.
