[ipv6hackers] thc-ipv6 v3.0, IPv6 complexity and evasions
Enno Rey
erey at ernw.de
Sat Oct 17 14:44:40 CEST 2015
Hi,
On Sat, Oct 17, 2015 at 02:05:40PM +0200, Gert Doering wrote:
> Hi,
>
> On Sat, Oct 17, 2015 at 08:51:25AM +0200, Enno Rey wrote:
> > except for the IP version that kinda deprecates fragmentation, that is IPv6.
>
> Uh, what? IPv6 deprecates *router* fragmentation - but if you want to send
> a 2k UDP packet (like, a large DNS reply), fragmentation is all you have...
sure. in particular if it is delivered by Santa Claus.
as long as the probability of each of those attributes of a packet is roughly equivalent for $NETWORK it just makes sense to filter such packets, especially if those could otherwise cause significant harm. which Marc's additions to his tool prove, yet another time.
I will happily change my stance once I see an actual real-life ticket covering non-availability of a service based on filtering fragments which would have been needed for that service's functionality.
cheers
Enno
>
> Gert Doering
> -- NetMaster
> --
> have you enabled IPv6 on something today...?
>
> SpaceNet AG Vorstand: Sebastian v. Bomhard
> Joseph-Dollinger-Bogen 14 Aufsichtsratsvors.: A. Grundner-Culemann
> D-80807 Muenchen HRB: 136055 (AG Muenchen)
> Tel: +49 (0)89/32356-444 USt-IdNr.: DE813185279
> _______________________________________________
> Ipv6hackers mailing list
> Ipv6hackers at lists.si6networks.com
> http://lists.si6networks.com/listinfo/ipv6hackers
--
Enno Rey
ERNW GmbH - Carl-Bosch-Str. 4 - 69115 Heidelberg - www.ernw.de
Tel. +49 6221 480390 - Fax 6221 419008 - Cell +49 173 6745902
Handelsregister Mannheim: HRB 337135
Geschaeftsfuehrer: Enno Rey
=======================================================
Blog: www.insinuator.net || Conference: www.troopers.de
Twitter: @Enno_Insinuator
=======================================================
More information about the Ipv6hackers
mailing list