On 10/5/18 3:16 AM, Mark Andrews wrote:
So require frag 0 to have what you require to do the filtering. Most stacks
send maximal sized initial fragments up to 1280 bytes. For DNS the UDP header
will be there as there is at least 8 bytes of fragmented packet. Additionally
reassembly attacks are much harder as there is 32 bits of fragmentation
identifier rather than 16 in IPv4.
IPv6 fragmentation was designed with knowledge of the IPv4 reassembly attacks
in mind.
You'll get no argument from me, here. This is not new nor are ways to
deal with it unknown. Despite that, it's a common reason I hear for
just blindly dropping all fragments. Personally, I consider such
devices/stacks broken, but that doesn't mean we don't have to deal with
them, unfortunately.
--
Brandon Martin
