[ipv6hackers] thc-ipv6 v3.0, IPv6 complexity and evasions
Tim Chown
tjc at ecs.soton.ac.uk
Wed Oct 21 00:48:41 CEST 2015
> On 20 Oct 2015, at 01:42, Fernando Gont <fgont at si6networks.com> wrote:
>
> Hi, Gert,
>
> On 10/17/2015 09:53 AM, Gert Doering wrote:
>> Hi,
>>
>> On Sat, Oct 17, 2015 at 02:44:40PM +0200, Enno Rey wrote:
>>> I will happily change my stance once I see an actual real-life
>>> ticket covering non-availability of a service based on filtering
>>> fragments which would have been needed for that service's
>>> functionality.
>>
>> The problem with this stance is that you add to other people's bills
>> - DNS will fall back to TCP if UDP packets can't get through, but
>> that causes more load to the server... so it will seem to "work",
>> and you'll never notice.
>
> Well, there's also the issue that right now you usually still have v4 as
> DNS transport. When this is not longer the case, the harm caused by IPv6
> fragment drops may become more evident.
So for those of us doing IPv6 DNS, how would you recommend measuring that harm?
>> (I do observe issues with UDP fragments here, as FreeBSD's pf is
>> still too stupid to properly handle them, and some things work slower
>> as a consequence, and others don't work at all - like, TCP through a
>> Netscreen NAT64, which will emit atomic fragments...)
>
> Including atomic fragments in the NAT64 was bad design, IMO.
> Particularly when the spec itself acknowledged that they don't work.
Hmmm :)
Tim
>
> Thanks!
>
> Cheers,
> --
> Fernando Gont
> SI6 Networks
> e-mail: fgont at si6networks.com
> PGP Fingerprint: 6666 31C6 D484 63B2 8FB1 E3C4 AE25 0D55 1D4E 7492
>
>
>
>
> _______________________________________________
> Ipv6hackers mailing list
> Ipv6hackers at lists.si6networks.com
> http://lists.si6networks.com/listinfo/ipv6hackers
More information about the Ipv6hackers
mailing list