[ipv6hackers] thc-ipv6 v3.0, IPv6 complexity and evasions

Gert Doering gert at space.net
Sat Oct 17 14:53:35 CEST 2015


Hi,

On Sat, Oct 17, 2015 at 02:44:40PM +0200, Enno Rey wrote:
> I will happily change my stance once I see an actual real-life ticket covering non-availability of a service based on filtering fragments which would have been needed for that service's functionality.

The problem with this stance is that you add to other people's bills - DNS
will fall back to TCP if UDP packets can't get through, but that causes 
more load to the server...  so it will seem to "work", and you'll never
notice.

(I do observe issues with UDP fragments here, as FreeBSD's pf is still too
stupid to properly handle them, and some things work slower as a consequence,
and others don't work at all - like, TCP through a Netscreen NAT64, which
will emit atomic fragments...)

Gert Doering
        -- NetMaster
-- 
have you enabled IPv6 on something today...?

SpaceNet AG                        Vorstand: Sebastian v. Bomhard
Joseph-Dollinger-Bogen 14          Aufsichtsratsvors.: A. Grundner-Culemann
D-80807 Muenchen                   HRB: 136055 (AG Muenchen)
Tel: +49 (0)89/32356-444           USt-IdNr.: DE813185279


More information about the Ipv6hackers mailing list