On Sat, 14 Jan 2017 09:58:21 +1100, Mark Andrews said:
> In message , Fernando
> Gont writes:
> > Disagree. Microsoft "reinvented" ping-o-death in IPv6, there have been
> > several one-packet crashes disclosed for Cisco's (an the list continues).
>
> And they would have issued fixes for them. Mac
In message <954a2fbd-580a-044b-07e7-63a0bf1bb...@si6networks.com>, Fernando
Gont writes:
> On 01/12/2017 11:14 PM, Mark Andrews wrote:
> > In message
> >
> > , Fernando Gont writes:
> >> El 12/1/2017 16:32, "Saku Ytti" escribi=C3=B3:
> >>
> >> On 12 January 2017 at 17:02, Fernando Gont wrote:
In message , Fernando
Gont writes:
> On 01/12/2017 11:07 PM, Mark Andrews wrote:
> > In message
> >
> > , Fernando Gont writes:
> >> El 12/1/2017 16:28, "Mark Andrews" escribi=C3=B3:
> >>
> >>> In message <11ff128d-2fba-7c26-4a9c-5611433d8...@si6networks.com>,
> >>> Fernando Gont writes:
> >>
On 01/12/2017 11:14 PM, Mark Andrews wrote:
> In message
>
> , Fernando Gont writes:
>> El 12/1/2017 16:32, "Saku Ytti" escribi=C3=B3:
>>
>> On 12 January 2017 at 17:02, Fernando Gont wrote:
>>> That's the point: If you don't allow fragments, but your peer honors
>>> ICMPv6 PTB<1280, then dropp
On 01/12/2017 11:07 PM, Mark Andrews wrote:
> In message
>
> , Fernando Gont writes:
>> El 12/1/2017 16:28, "Mark Andrews" escribi=C3=B3:
>>
>>> In message <11ff128d-2fba-7c26-4a9c-5611433d8...@si6networks.com>, Fernando
>>> Gont writes:
Hi, Saku,
On 01/12/2017 11:43 AM, Saku Ytt
In message
, Fernando Gont writes:
> El 12/1/2017 16:32, "Saku Ytti" escribi=C3=B3:
>
> On 12 January 2017 at 17:02, Fernando Gont wrote:
> > That's the point: If you don't allow fragments, but your peer honors
> > ICMPv6 PTB<1280, then dropping fragments creates the attack vector.
>
> Thanks
In message
, Fernando Gont writes:
> El 12/1/2017 16:28, "Mark Andrews" escribi=C3=B3:
>
> > In message <11ff128d-2fba-7c26-4a9c-5611433d8...@si6networks.com>, Fernando
> > Gont writes:
> > > Hi, Saku,
> > >
> > > On 01/12/2017 11:43 AM, Saku Ytti wrote:
> > > > On 12 January 2017 at 13:19, Fe
El 12/1/2017 16:32, "Saku Ytti" escribió:
On 12 January 2017 at 17:02, Fernando Gont wrote:
> That's the point: If you don't allow fragments, but your peer honors
> ICMPv6 PTB<1280, then dropping fragments creates the attack vector.
Thanks. I think I got it now. Best I can offer is that B could
El 12/1/2017 16:28, "Mark Andrews" escribió:
In message <11ff128d-2fba-7c26-4a9c-5611433d8...@si6networks.com>, Fernando
Gon
t writes:
> Hi, Saku,
>
> On 01/12/2017 11:43 AM, Saku Ytti wrote:
> > On 12 January 2017 at 13:19, Fernando Gont
wrote:
> >
> > Hey,
> >
> >> I'm curious about whether f
On 12 January 2017 at 21:53, Fernando Gont wrote:
> besides, becaude of ipv6 ehs, you're not really guaranteed to receive e.g.
> the tcp header in the embedded payload (the embedded payload could easily be
> fixed ipv6 header + ehs).
If the CoPP drops what has not been explicitly allowed, then p
Many (most?) Implementations don't even check the embedded port
numbers...do tye attacker does not even need to guess the client port.
besides, becaude of ipv6 ehs, you're not really guaranteed to receive e.g.
the tcp header in the embedded payload (the embedded payload could easily
be fixed ipv6
On 12 January 2017 at 17:02, Fernando Gont wrote:
> That's the point: If you don't allow fragments, but your peer honors
> ICMPv6 PTB<1280, then dropping fragments creates the attack vector.
Thanks. I think I got it now. Best I can offer is that B could try to
verify the embedded original packet?
In message <11ff128d-2fba-7c26-4a9c-5611433d8...@si6networks.com>, Fernando Gon
t writes:
> Hi, Saku,
>
> On 01/12/2017 11:43 AM, Saku Ytti wrote:
> > On 12 January 2017 at 13:19, Fernando Gont wrote:
> >
> > Hey,
> >
> >> I'm curious about whether folks are normally filtering ICMPv6 PTB<1280
Hi, Saku,
On 01/12/2017 11:43 AM, Saku Ytti wrote:
> On 12 January 2017 at 13:19, Fernando Gont wrote:
>
> Hey,
>
>> I'm curious about whether folks are normally filtering ICMPv6 PTB<1280
>> and/or IPv6 fragments targeted to BGP routers (off-list datapoints are
>> welcome).
>
> Generally may b
On 12 January 2017 at 13:19, Fernando Gont wrote:
Hey,
> I'm curious about whether folks are normally filtering ICMPv6 PTB<1280
> and/or IPv6 fragments targeted to BGP routers (off-list datapoints are
> welcome).
Generally may be understood differently by different people. If
generally is defin
Folks,
I'm curious about whether folks are normally filtering ICMPv6 PTB<1280
and/or IPv6 fragments targeted to BGP routers (off-list datapoints are
welcome).
In any case, you mind find it worth reading to check if you're affected
(from Section 2 of recently-published RFC8021):
cut here ---
16 matches
Mail list logo
