[ipv6hackers] ip6tables and fragmentation

Fernando Gont fgont at si6networks.com
Thu Jan 24 02:06:10 CET 2013

Hola, Guillermo,

On 01/23/2013 08:29 AM, Guillermo Lafuente Tejero wrote:
> The problem that I have if that if I send an ICMPv6 Echo Request
> large enough to force fragmentation the result is that the ping
> fails. What is actually happening (or at least is what I have
> deduced) is that the first fragment reaches the host, ip6tables
> inspect the packet and accepts it as there is a rule allowing ICMPv6
> Echo Requests. Then the fragment comes, and ip6tables is not able to
> match the fragment to any rule, so the packet is discarded.

If you're doing stateless firewalling, you need to include rules that
pass non-first fragments. Then security relies on:

* The firewall's ability to properly filter first-fragments (i.e.,
fragments with a Fragmet Offset of 0), *and*,
* Whether the hosts "protected" by the firewall implement RFC 5722

If you don't want/like this, you should do stateful filtering.

> Now the
> application layer (or whatever layer is in charge of reassembling the
> packet) will be waiting for the next fragment,

The IPv6 layer ;-)

> Is there any way of making ip6tables aware of the fragments? 

You could include a last rule that passes packets that have the
Fragmentation Header "protocol type"...

Fernando Gont
SI6 Networks
e-mail: fgont at si6networks.com
PGP Fingerprint: 6666 31C6 D484 63B2 8FB1 E3C4 AE25 0D55 1D4E 7492

More information about the Ipv6hackers mailing list