Re: [PATCH v2 net-next 1/3] ip: discard IPv4 datagrams with overlapping segments.

[Stephen Hemminger]

On Thu,  2 Aug 2018 23:34:37 +0000
Peter Oskolkov <p...@google.com> wrote:

> This behavior is required in IPv6, and there is little need
> to tolerate overlapping fragments in IPv4. This change
> simplifies the code and eliminates potential DDoS attack vectors.
> 
> Tested: ran ip_defrag selftest (not yet available uptream).
> 
> Suggested-by: David S. Miller <da...@davemloft.net>
> Signed-off-by: Peter Oskolkov <p...@google.com>
> Signed-off-by: Eric Dumazet <eduma...@google.com>
> Cc: Florian Westphal <f...@strlen.de>

There are a couple of relevant RFC's

RFC 1858 - Security Considerations for IP Fragment Filtering
RFC 2460 - Handling of Overlapping IPv6 Fragments

Acked-by: Stephen Hemminger <step...@networkplumber.org>