[ipv6hackers] thc-ipv6 v3.0, IPv6 complexity and evasions

Tim Chown tjc at ecs.soton.ac.uk
Wed Oct 21 00:48:41 CEST 2015

> On 20 Oct 2015, at 01:42, Fernando Gont <fgont at si6networks.com> wrote:
> Hi, Gert,
> On 10/17/2015 09:53 AM, Gert Doering wrote:
>> Hi,
>> On Sat, Oct 17, 2015 at 02:44:40PM +0200, Enno Rey wrote:
>>> I will happily change my stance once I see an actual real-life
>>> ticket covering non-availability of a service based on filtering
>>> fragments which would have been needed for that service's
>>> functionality.
>> The problem with this stance is that you add to other people's bills
>> - DNS will fall back to TCP if UDP packets can't get through, but
>> that causes more load to the server...  so it will seem to "work",
>> and you'll never notice.
> Well, there's also the issue that right now you usually still have v4 as
> DNS transport. When this is not longer the case, the harm caused by IPv6
> fragment drops may become more evident.

So for those of us doing IPv6 DNS, how would you recommend measuring that harm?

>> (I do observe issues with UDP fragments here, as FreeBSD's pf is
>> still too stupid to properly handle them, and some things work slower
>> as a consequence, and others don't work at all - like, TCP through a
>> Netscreen NAT64, which will emit atomic fragments...)
> Including atomic fragments in the NAT64 was bad design, IMO.
> Particularly when the spec itself acknowledged that they don't work.

Hmmm :)


> Thanks!
> Cheers,
> -- 
> Fernando Gont
> SI6 Networks
> e-mail: fgont at si6networks.com
> PGP Fingerprint: 6666 31C6 D484 63B2 8FB1 E3C4 AE25 0D55 1D4E 7492
> _______________________________________________
> Ipv6hackers mailing list
> Ipv6hackers at lists.si6networks.com
> http://lists.si6networks.com/listinfo/ipv6hackers

More information about the Ipv6hackers mailing list