tech-net archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Re: IPv6 fragmentation issue for first fragment



Loganaden Velvindron <loganaden%gmail.com@localhost> writes:

> An interesting case is explained here about:
>
> http://tools.ietf.org/id/draft-ietf-6man-oversized-header-chain-01.txt
>
> Quote:
>
>    If a packet is fragmented, the first fragment of the packet (i.e.,
>    that with a Fragment Offset of 0) MUST contain the entire IPv6 header
>    chain.
>
> I'm still new to ipv6 and i was thinking about something like this:
>
> if fragoff == 0 && q6->ip6q_unfraglen > 1280, drop_packet(); else 
> process_it();

Are you worrying about outbound or inbound processing?

The headers are variable length.  So on outbound, if one is creating a
fragment that won't include all of them, I think you have to return an
error (probably to the socket, but tunnel-mode IPsec packets can count
as locally sourced).

On inbound, absent trying to firewall, I'm not sure there is much to be
done, other than to check for this and drop.  But a firewall probably
should chase the header chain for first fragments and verify that it
fits.  A firewall probably should be validating all the headers anyway.

Can you point to something in the NetBSD code that's wrong?  (I'm not
trying to claim that there is nothing wrong.)

Attachment: pgpDD696ljjQI.pgp
Description: PGP signature



Home | Main Index | Thread Index | Old Index