Advertisement
Guest User

Kristof - IPv6 Frag

a guest
Aug 22nd, 2016
414
0
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 2.02 KB | None | 0 0
  1. Hi guys,
  2.  
  3. I was just listening to Big Int Trouble and can’t resist writing in regarding
  4. the IPv6 fragmentation question.
  5.  
  6. Fragmentation exists in both IPv4 and IPv6.
  7. The main difference between v4 and v6 fragmentation is that in v4 intermediate
  8. routers will fragment packets that are too big. In v6 they’ll just drop them
  9. and send an ICMP Packet-Too-Big error back. In other words: only the sending
  10. host can fragment in v6, while in v4 all routers along the path can fragment.
  11. This doesn’t make a huge difference for the sending or receiving host, but it
  12. complicates the implementation of firewalls a bit.
  13.  
  14. What Joe’s doing now (presumably something like this:
  15. ‘pass in inet6 proto ipv6-frag’. That will let any packet with a fragment
  16. header through the firewall, essentially rendering it useless. If for example
  17. he’d want to forbid any TCP packets on port 666 that could be trivially
  18. circumvented by sending the TCP packets in two fragmented packets. pf would be
  19. unable to figure out the TCP port, but the fragment rule would let them
  20. through.
  21.  
  22. What he wants to do instead is ‘scrub in all fragment reassemble’. This tells
  23. pf to reassemble the packet before it’s filtered. This means that the rules
  24. will apply to the reassembled packet. In the previous example that’d mean that
  25. pf would reassemble the packet first, and then be able to look at the TCP and
  26. make a decision based on that. This is supported in 10.3 and 11.
  27.  
  28. As for his question about avoiding fragmentation, I have to admit that I'm not
  29. quite sure why he's even seeing it here. Usually TCP is clever enough to avoid
  30. the need for fragmentation in the first place.
  31. The size of the fragmented payload (1240) is suggestive, because 1280 is the
  32. lowest allowed MTU for IPv6. There might be a configuration error somewhere,
  33. but I don't have enough information here to say for sure.
  34.  
  35. He can probably get rid this fragmentation by forcing the TCP MSS (maximum
  36. segment size) to be set.
  37. Something like this: 'scrub inet6 max-mss 1240'
  38.  
  39. Regards,
  40. Kristof
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement