Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- Hi guys,
- I was just listening to Big Int Trouble and can’t resist writing in regarding
- the IPv6 fragmentation question.
- Fragmentation exists in both IPv4 and IPv6.
- The main difference between v4 and v6 fragmentation is that in v4 intermediate
- routers will fragment packets that are too big. In v6 they’ll just drop them
- and send an ICMP Packet-Too-Big error back. In other words: only the sending
- host can fragment in v6, while in v4 all routers along the path can fragment.
- This doesn’t make a huge difference for the sending or receiving host, but it
- complicates the implementation of firewalls a bit.
- What Joe’s doing now (presumably something like this:
- ‘pass in inet6 proto ipv6-frag’. That will let any packet with a fragment
- header through the firewall, essentially rendering it useless. If for example
- he’d want to forbid any TCP packets on port 666 that could be trivially
- circumvented by sending the TCP packets in two fragmented packets. pf would be
- unable to figure out the TCP port, but the fragment rule would let them
- through.
- What he wants to do instead is ‘scrub in all fragment reassemble’. This tells
- pf to reassemble the packet before it’s filtered. This means that the rules
- will apply to the reassembled packet. In the previous example that’d mean that
- pf would reassemble the packet first, and then be able to look at the TCP and
- make a decision based on that. This is supported in 10.3 and 11.
- As for his question about avoiding fragmentation, I have to admit that I'm not
- quite sure why he's even seeing it here. Usually TCP is clever enough to avoid
- the need for fragmentation in the first place.
- The size of the fragmented payload (1240) is suggestive, because 1280 is the
- lowest allowed MTU for IPv6. There might be a configuration error somewhere,
- but I don't have enough information here to say for sure.
- He can probably get rid this fragmentation by forcing the TCP MSS (maximum
- segment size) to be set.
- Something like this: 'scrub inet6 max-mss 1240'
- Regards,
- Kristof
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement