[dns-operations] EDNS issue

Rick Jones rick.jones2 at hp.com
Sat Feb 26 01:07:20 UTC 2011


On Fri, 2011-02-25 at 16:00 +1100, Mark Andrews wrote:
> There is this security myth that you can run a IP network without
> letting through fragmented IP packets.  This has never been the
> case.  There is also a security myth that fragmented IP packets are
> dangerous.  They aren't.  

Well... there tends to be a bit of truth, however outdated, to
some/many/most myths. 

If one  goes back far enough in time, and one does have to go back a
considerable length of time, many stacks did not have a cap on how much
memory could be consumed by IP fragment reassembly, and they tended to
have relatively long reassembly timeouts (order of small number of
minutes).  Of course that little, overly-trusting oversight has been
corrected for years.

rick jones





More information about the dns-operations mailing list