[ipv6hackers] thc-ipv6 v3.0, IPv6 complexity and evasions

Enno Rey erey at ernw.de
Sat Oct 17 14:44:40 CEST 2015


Hi,

On Sat, Oct 17, 2015 at 02:05:40PM +0200, Gert Doering wrote:
> Hi,
> 
> On Sat, Oct 17, 2015 at 08:51:25AM +0200, Enno Rey wrote:
> > except for the IP version that kinda deprecates fragmentation, that is IPv6.
> 
> Uh, what?  IPv6 deprecates *router* fragmentation - but if you want to send
> a 2k UDP packet (like, a large DNS reply), fragmentation is all you have...

sure. in particular if it is delivered by Santa Claus.
as long as the probability of each of those attributes of a packet is roughly equivalent for $NETWORK it just makes sense to filter such packets, especially if those could otherwise cause significant harm. which Marc's additions to his tool prove, yet another time.

I will happily change my stance once I see an actual real-life ticket covering non-availability of a service based on filtering fragments which would have been needed for that service's functionality.

cheers

Enno







> 
> Gert Doering
>         -- NetMaster
> -- 
> have you enabled IPv6 on something today...?
> 
> SpaceNet AG                        Vorstand: Sebastian v. Bomhard
> Joseph-Dollinger-Bogen 14          Aufsichtsratsvors.: A. Grundner-Culemann
> D-80807 Muenchen                   HRB: 136055 (AG Muenchen)
> Tel: +49 (0)89/32356-444           USt-IdNr.: DE813185279
> _______________________________________________
> Ipv6hackers mailing list
> Ipv6hackers at lists.si6networks.com
> http://lists.si6networks.com/listinfo/ipv6hackers

-- 
Enno Rey

ERNW GmbH - Carl-Bosch-Str. 4 - 69115 Heidelberg - www.ernw.de
Tel. +49 6221 480390 - Fax 6221 419008 - Cell +49 173 6745902 

Handelsregister Mannheim: HRB 337135
Geschaeftsfuehrer: Enno Rey

=======================================================
Blog: www.insinuator.net || Conference: www.troopers.de
Twitter: @Enno_Insinuator
=======================================================


More information about the Ipv6hackers mailing list