[ipv6hackers] thc-ipv6 v3.0, IPv6 complexity and evasions

[Marc Heuse]

>> On Sat, Oct 17, 2015 at 08:51:25AM +0200, Enno Rey wrote:
>>> except for the IP version that kinda deprecates fragmentation, that is IPv6.
>>
>> Uh, what?  IPv6 deprecates *router* fragmentation - but if you want to send
>> a 2k UDP packet (like, a large DNS reply), fragmentation is all you have...
> 
> sure. in particular if it is delivered by Santa Claus.
> as long as the probability of each of those attributes of a packet is roughly equivalent for $NETWORK it just makes sense to filter such packets, especially if those could otherwise cause significant harm. which Marc's additions to his tool prove, yet another time.
> 
> I will happily change my stance once I see an actual real-life ticket covering non-availability of a service based on filtering fragments which would have been needed for that service's functionality.

no Enno, filtering fragmented packets is harmful.
Every person who is behind a tunnel or accesses resources behind a
tunnel - or misconfigured networks (MTU < 1500) - ISPs who filter
fragmented IPv6 packets blackhole the communication there.

and please do not make a joke about oversized UDP packets. with DNSSEC
this is actually required. and we need DNSSEC. we don't see that problem
much because companies don't implement it (yet).

*because* the networks must support fragmention, it is important that
there is RFC that is more tight on extension headers as well as that
security products must look deeply into the packets.

Greets,
Marc

--
Marc Heuse
www.mh-sec.de

PGP: AF3D 1D4C D810 F0BB 977D  3807 C7EE D0A0 6BE9 F573