On 21 Feb 2021, at 0:02, Doug Hardie wrote:
On 20 February 2021, at 04:13, Kristof Provost
wrote:
If you don’t have scrub fragment reassemble set then you have to
include something like pass log inet6 proto ipv6-frag all to pass
fragmented packets (assuming you block by default).
You reall
> On 20 February 2021, at 04:13, Kristof Provost wrote:
>
> If you don’t have scrub fragment reassemble set then you have to include
> something like pass log inet6 proto ipv6-frag all to pass fragmented packets
> (assuming you block by default).
>
> You really, really want scrub fragment re
On 20 Feb 2021, at 5:32, Doug Hardie wrote:
On 19 February 2021, at 01:48, Michael Tuexen
wrote:
On 19. Feb 2021, at 03:29, Doug Hardie wrote:
I don't know if this is a feature or a bug. On FreeBSD 9, the
following ping worked:
ping6 -s 5000 -b 6000 fe80::213:72ff:fec3:180f%dc0
I don't
> On 20. Feb 2021, at 05:32, Doug Hardie wrote:
>
>> On 19 February 2021, at 01:48, Michael Tuexen
>> wrote:
>>
>>> On 19. Feb 2021, at 03:29, Doug Hardie wrote:
>>>
>>> I don't know if this is a feature or a bug. On FreeBSD 9, the following
>>> ping worked:
>>>
>>> ping6 -s 5000 -b 6000
> On 19 February 2021, at 01:48, Michael Tuexen
> wrote:
>
>> On 19. Feb 2021, at 03:29, Doug Hardie wrote:
>>
>> I don't know if this is a feature or a bug. On FreeBSD 9, the following
>> ping worked:
>>
>> ping6 -s 5000 -b 6000 fe80::213:72ff:fec3:180f%dc0
> I don't have a dc0 interface,
> On 19 February 2021, at 01:48, Michael Tuexen
> wrote:
>
>> On 19. Feb 2021, at 03:29, Doug Hardie wrote:
>>
>> I don't know if this is a feature or a bug. On FreeBSD 9, the following
>> ping worked:
>>
>> ping6 -s 5000 -b 6000 fe80::213:72ff:fec3:180f%dc0
> I don't have a dc0 interface,
> On 19. Feb 2021, at 03:29, Doug Hardie wrote:
>
> I don't know if this is a feature or a bug. On FreeBSD 9, the following ping
> worked:
>
> ping6 -s 5000 -b 6000 fe80::213:72ff:fec3:180f%dc0
I don't have a dc0 interface, but using re0 at one side and bge at the other, I
get
with FreeBSD CU
I don't know if this is a feature or a bug. On FreeBSD 9, the following ping
worked:
ping6 -s 5000 -b 6000 fe80::213:72ff:fec3:180f%dc0
It had to be stopped, but it returned the number of ping responses received
along with statistics.
With FreeBSD 12.2 and 13.0-BETA2, it returns 100% packet l
Folks,
FYI. -- this is an important piece when it comes to First Hop (i.e.,
"local link") Security.
Cheers,
Fernando
Original Message
Subject: RFC 6980 on Security Implications of IPv6 Fragmentation with
IPv6 Neighbor Discovery
Date: Tue, 13 Aug 2013 15:13:21
Looks like we are making progress here, but are not quite there yet.
Original Message
Subject: IPv6 NIDS evasion and IPv6 fragmentation/reassembly improvements
Date: Wed, 22 Feb 2012 16:57:22 -0300
From: Fernando Gont
Organization: SI6 Networks
To: ipv6-...@lists.cluenet.de
At Thu, 14 May 2009 14:42:35 -0700,
"Kevin Oberman" wrote:
> I then captured the ICMP and discovered that the kernel was fragmenting
> all of them! Worse, the fragment was sent out before the ICMP! What the
> heck is going on! Thread synchronization?
>
> When I captured the packets (via tcpdump
Steve Bertrand wrote:
> Kevin Oberman wrote:
>
>> Second, why the heck is the fragment going out first? This should be OK,
>> but I suspect many firewalls (which are often not happy with fragments)
>> are not likely to pass a fragment which precedes the initial frame.
>
> I'll try to find some ti
Kevin Oberman wrote:
> Second, why the heck is the fragment going out first? This should be OK,
> but I suspect many firewalls (which are often not happy with fragments)
> are not likely to pass a fragment which precedes the initial frame.
I'll try to find some time today to see if I can replicat
On Thu, 14 May 2009, Kevin Oberman wrote:
Hi,
Date: Fri, 15 May 2009 00:09:02 +0200 (CEST)
From: sth...@nethelp.no
First, why is the kernel fragmenting this at all as it fits in the
interface MTU?
Good question, I definitely disagree with this behavior and would say
that it breaks POLA. But
> Date: Fri, 15 May 2009 00:09:02 +0200 (CEST)
> From: sth...@nethelp.no
>
> > First, why is the kernel fragmenting this at all as it fits in the
> > interface MTU?
>
> Good question, I definitely disagree with this behavior and would say
> that it breaks POLA. But it's documented (see the ping6
> First, why is the kernel fragmenting this at all as it fits in the
> interface MTU?
Good question, I definitely disagree with this behavior and would say
that it breaks POLA. But it's documented (see the ping6 -m option).
> Can anyone fetch anything from ftp.funet.fi via IPv6? I suspect it is
>
I have recently noticed problems with data transfers via IPv6. Attempt
to fetch files from dome sites was hanging as soon as the data started
to flow. Felt like an MTU issue, so I tried sending various sizes of
ICMP echo (ping) packets and discovered that I could not send a packet
of over 1280 byte
17 matches
Mail list logo
