Sunday, November 19, 2017

Filtering Fragments

by Craig Miller


Overcoming fragmentation
Fragmentation is different in IPv6, end stations perform fragmentation, not routers. That said, there are valid security concerns about exploits which hide the true contents of a packet by encapsulating it in a fragmentation extension header. (see Little bitsy pieces) But one needs to be careful about filtering all packets with fragmentation headers.

Filtering all Fragmentation Headers can lead to DNS failures

Case in point, Google's public IPv6 DNS servers until recently (Oct 2017) were clearly filtering fragmented responses (from authoritative servers). Small requests would succeed while large requests would fail.

Careful with that Axe Eugene

While is is a good idea to filter extension headers, such as the fragmentation header when the packet is on link (Advice for IPv6 Router Advertisement Guard RFC 7113). One should not apply a blanket filter to all fragmented packets.  Although PMTUD (Path MTU Discovery) is quite good at reducing fragmentation, there are valid reasons why a packet, such as a DNS response with many IPv6 addresses, could be fragmented.

Be careful with filters/ACLs/Firewall Rules, and be sure you are only filtering unwanted traffic.


* creative commons photo by James Ho