MTU/MSS testing IPv6
Gert Doering
gert at space.net
Fri Apr 29 09:45:49 CEST 2016
Hi,
On Fri, Apr 29, 2016 at 09:38:50AM +0200, Shane Kerr wrote:
> OTOH, blocking all IPv6 fragments seems a bit too aggressive for
> firewalls.
My guess is more along the lines of "this is on FreeBSD, using the pf(4)
packet filter, which is still not able to do anything reasonable with
IPv6 fragments" (you can permit-all or deny-all, but no reassembly and
no more educated filtering).
OpenBSD fixed that, but FreeBSD changed their networking stack enough
that they cannot just import new versions of pf(4) from OpenBSD anymore
(and it seems nobody really cares *sigh*).
We're using NAT64 techniques to access customer private networks (using
ULAs mapped to their private addresses on the outside) and these atomic
fragments + FreeBSD pf(4) has bitten us as well...
Gert Doering
-- NetMaster
--
have you enabled IPv6 on something today...?
SpaceNet AG Vorstand: Sebastian v. Bomhard
Joseph-Dollinger-Bogen 14 Aufsichtsratsvors.: A. Grundner-Culemann
D-80807 Muenchen HRB: 136055 (AG Muenchen)
Tel: +49 (0)89/32356-444 USt-IdNr.: DE813185279
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 819 bytes
Desc: not available
Url : http://lists.cluenet.de/pipermail/ipv6-ops/attachments/20160429/84d8bdf9/attachment.bin
More information about the ipv6-ops
mailing list