Kristof - IPv6 Frag

Hi guys,

I was just listening to Big Int Trouble and can’t resist writing in regarding
the IPv6 fragmentation question.

Fragmentation exists in both IPv4 and IPv6.
The main difference between v4 and v6 fragmentation is that in v4 intermediate
routers will fragment packets that are too big.  In v6 they’ll just drop them
and send an ICMP Packet-Too-Big error back.  In other words: only the sending
host can fragment in v6, while in v4 all routers along the path can fragment.
This doesn’t make a huge difference for the sending or receiving host, but it
complicates the implementation of firewalls a bit.

What Joe’s doing now (presumably something like this:
‘pass in inet6 proto ipv6-frag’. That will let any packet with a fragment
header through the firewall, essentially rendering it useless. If for example
he’d want to forbid any TCP packets on port 666 that could be trivially
circumvented by sending the TCP packets in two fragmented packets. pf would be
unable to figure out the TCP port, but the fragment rule would let them
through.

What he wants to do instead is ‘scrub in all fragment reassemble’. This tells
pf to reassemble the packet before it’s filtered. This means that the rules
will apply to the reassembled packet. In the previous example that’d mean that
pf would reassemble the packet first, and then be able to look at the TCP and
make a decision based on that.  This is supported in 10.3 and 11.

As for his question about avoiding fragmentation, I have to admit that I'm not
quite sure why he's even seeing it here. Usually TCP is clever enough to avoid
the need for fragmentation in the first place.
The size of the fragmented payload (1240) is suggestive, because 1280 is the
lowest allowed MTU for IPv6. There might be a configuration error somewhere,
but I don't have enough information here to say for sure.

He can probably get rid this fragmentation by forcing the TCP MSS (maximum
segment size) to be set.
Something like this: 'scrub inet6 max-mss 1240'

Regards,
Kristof