[ipv6hackers] thc-ipv6 v3.0, IPv6 complexity and evasions

Fernando Gont fgont at si6networks.com
Tue Oct 20 02:42:19 CEST 2015

Hi, Gert,

On 10/17/2015 09:53 AM, Gert Doering wrote:
> Hi,
> On Sat, Oct 17, 2015 at 02:44:40PM +0200, Enno Rey wrote:
>> I will happily change my stance once I see an actual real-life
>> ticket covering non-availability of a service based on filtering
>> fragments which would have been needed for that service's
>> functionality.
> The problem with this stance is that you add to other people's bills
> - DNS will fall back to TCP if UDP packets can't get through, but
> that causes more load to the server...  so it will seem to "work",
> and you'll never notice.

Well, there's also the issue that right now you usually still have v4 as
DNS transport. When this is not longer the case, the harm caused by IPv6
fragment drops may become more evident.

> (I do observe issues with UDP fragments here, as FreeBSD's pf is
> still too stupid to properly handle them, and some things work slower
> as a consequence, and others don't work at all - like, TCP through a
> Netscreen NAT64, which will emit atomic fragments...)

Including atomic fragments in the NAT64 was bad design, IMO.
Particularly when the spec itself acknowledged that they don't work.


Fernando Gont
SI6 Networks
e-mail: fgont at si6networks.com
PGP Fingerprint: 6666 31C6 D484 63B2 8FB1 E3C4 AE25 0D55 1D4E 7492

More information about the Ipv6hackers mailing list