Re: frag6: better limitation

To: tech-net%netbsd.org@localhost
Subject: Re: frag6: better limitation
From: Joerg Sonnenberger <joerg%bec.de@localhost>
Date: Thu, 25 Jan 2018 22:37:23 +0100

On Thu, Jan 25, 2018 at 10:32:42PM +0100, Maxime Villard wrote:
> Now, if someone floods the machine with fragments, the kernel will at some
> point kick all the fragments that come from this someone's address. Obviously,
> an attacker could be able to use a different src address; but then we rely
> on the firewall to reject the packets earlier.

I don't understand what you mean here. The typical scenario here is
someone sending fragments with a randomized host part. Given that IPv6
has enough space for that, it is not really possible to restrict that.

Joerg

Follow-Ups:
- Re: frag6: better limitation
  - From: Maxime Villard

References:
- frag6: better limitation
  - From: Maxime Villard

Prev by Date: frag6: better limitation
Next by Date: Re: Using NetBSD as a travel router
Previous by Thread: frag6: better limitation
Next by Thread: Re: frag6: better limitation
Indexes:

Home | Main Index | Thread Index | Old Index