[dns-operations] EDNS issue

Mark Andrews marka at isc.org
Sat Feb 26 01:45:02 UTC 2011

In message <1298682440.14113.240.camel at tardy>, Rick Jones writes:
> On Fri, 2011-02-25 at 16:00 +1100, Mark Andrews wrote:
> > There is this security myth that you can run a IP network without
> > letting through fragmented IP packets.  This has never been the
> > case.  There is also a security myth that fragmented IP packets are
> > dangerous.  They aren't.  
> Well... there tends to be a bit of truth, however outdated, to
> some/many/most myths. 
> If one  goes back far enough in time, and one does have to go back a
> considerable length of time, many stacks did not have a cap on how much
> memory could be consumed by IP fragment reassembly, and they tended to
> have relatively long reassembly timeouts (order of small number of
> minutes).  Of course that little, overly-trusting oversight has been
> corrected for years.

Decades ago and didn't require all fragments to be dropped, just
to those with broken IP stacks.  It's not like there weren't lossy
links back then.

Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka at isc.org

More information about the dns-operations mailing list