Re: weird IPv6 packet dropping with 6to4

To: Taylor R Campbell <campbell%mumble.net@localhost>
Subject: Re: weird IPv6 packet dropping with 6to4
From: Matthias Scheler <tron%zhadum.org.uk@localhost>
Date: Sat, 5 Sep 2009 13:25:30 +0100

On Thu, Sep 03, 2009 at 11:42:28PM -0400, Taylor R Campbell wrote:
> # /sbin/pfctl -s rules
> scrub in on ex0 all fragment reassemble
> scrub out on pppoe0 all max-mss 1440 fragment reassemble
> scrub on stf0 all max-mss 1024 fragment reassemble

I'm not very convinced about the usefulness of PF's scrubbing in general.
But there is no reason to limit the MSS of TCP connections here.
IPv6 requires to handle fragmentation via ICMP.

> block drop all

I don't think the 

> pass quick on lo0 all flags S/SA keep state
> pass quick on pppoe0 inet proto ipv6 all keep state

This looks wrong. As a 6to4 host you can receive IPv6 packets from
different remote endpoints. I don't think that state keeping can
work here.

> As you can see, I have set up the usual MSS-clamping for PPPoE, and
> for IPv6 packets going through stf0,

You don't need MSS clamping for IPv6.

        Kind regards

-- 
Matthias Scheler                                  http://zhadum.org.uk/

Follow-Ups:
- Re: weird IPv6 packet dropping with 6to4
  - From: Taylor R Campbell

References:
- weird IPv6 packet dropping with 6to4
  - From: Taylor R Campbell

Prev by Date: Re: Problems with pf, ipsec nat-t, l2tp
Next by Date: Re: mk-configure: lightweight autoconf replacement written for/in bmake
Previous by Thread: weird IPv6 packet dropping with 6to4
Next by Thread: Re: weird IPv6 packet dropping with 6to4
Indexes:

Home | Main Index | Thread Index | Old Index