Loganaden Velvindron <loganaden%gmail.com@localhost> writes: > An interesting case is explained here about: > > http://tools.ietf.org/id/draft-ietf-6man-oversized-header-chain-01.txt > > Quote: > > If a packet is fragmented, the first fragment of the packet (i.e., > that with a Fragment Offset of 0) MUST contain the entire IPv6 header > chain. > > I'm still new to ipv6 and i was thinking about something like this: > > if fragoff == 0 && q6->ip6q_unfraglen > 1280, drop_packet(); else > process_it(); Are you worrying about outbound or inbound processing? The headers are variable length. So on outbound, if one is creating a fragment that won't include all of them, I think you have to return an error (probably to the socket, but tunnel-mode IPsec packets can count as locally sourced). On inbound, absent trying to firewall, I'm not sure there is much to be done, other than to check for this and drop. But a firewall probably should chase the header chain for first fragments and verify that it fits. A firewall probably should be validating all the headers anyway. Can you point to something in the NetBSD code that's wrong? (I'm not trying to claim that there is nothing wrong.)
Attachment:
pgpDD696ljjQI.pgp
Description: PGP signature