[ipv6hackers] ip6tables and fragmentation

Guillermo Lafuente Tejero guiye1984 at hotmail.com
Wed Jan 23 12:29:08 CET 2013


I have a set of rules for ip6tables, which I have designed mainly following the RFCs recommendations plus a little bit of common sense about what should and not should be allowed.

The problem that I have if that if I send an ICMPv6 Echo Request large enough to force fragmentation the result is that the ping fails. What is actually happening (or at least is what I have deduced) is that the first fragment reaches the host, ip6tables inspect the packet and accepts it as there is a rule allowing ICMPv6 Echo Requests. Then the fragment comes, and ip6tables is not able to match the fragment to any rule, so the packet is discarded. Now the application layer (or whatever layer is in charge of reassembling the packet) will be waiting for the next fragment, as the packet was discarded it will eventually time out and an ICMPv6 error message will be returned.

Is there any way of making ip6tables aware of the fragments? so what I want is ip6tables to wait for the fragments, reassemble the packet, and then make the decision. Obviously I want to achieve this in a secure manner, I don't want to blindly accept fragments as this could be abused to bypass the FW (first fragment valid, then send whatever I want...).


More information about the Ipv6hackers mailing list