Hi, Saku, On 01/12/2017 11:43 AM, Saku Ytti wrote:
On 12 January 2017 at 13:19, Fernando Gont <fgont@si6networks.com> wrote:
Hey,
I'm curious about whether folks are normally filtering ICMPv6 PTB<1280 and/or IPv6 fragments targeted to BGP routers (off-list datapoints are welcome).
Generally may be understood differently by different people. If generally is defined as single most typical behaviour/configuration, then generally people don't protect their infrastructure in any way at all, but fully rely vendor doing something reasonable.
I would argue BCP is to have 'strict' CoPP. Where you specifically allow what you must then have ultimate rule to deny everything. If you have such CoPP, then this attack won't work, as you clearly didn't allow any fragments at all (as you didn't expect to receive BGP fragments from your neighbours).
That's the point: If you don't allow fragments, but your peer honors ICMPv6 PTB<1280, then dropping fragments creates the attack vector. -- Fernando Gont SI6 Networks e-mail: fgont@si6networks.com PGP Fingerprint: 6666 31C6 D484 63B2 8FB1 E3C4 AE25 0D55 1D4E 7492