[dns-operations] EDNS issue
Mark Andrews
marka at isc.org
Sat Feb 26 01:45:02 UTC 2011
In message <1298682440.14113.240.camel at tardy>, Rick Jones writes:
> On Fri, 2011-02-25 at 16:00 +1100, Mark Andrews wrote:
> > There is this security myth that you can run a IP network without
> > letting through fragmented IP packets. This has never been the
> > case. There is also a security myth that fragmented IP packets are
> > dangerous. They aren't.
>
> Well... there tends to be a bit of truth, however outdated, to
> some/many/most myths.
>
> If one goes back far enough in time, and one does have to go back a
> considerable length of time, many stacks did not have a cap on how much
> memory could be consumed by IP fragment reassembly, and they tended to
> have relatively long reassembly timeouts (order of small number of
> minutes). Of course that little, overly-trusting oversight has been
> corrected for years.
Decades ago and didn't require all fragments to be dropped, just
to those with broken IP stacks. It's not like there weren't lossy
links back then.
Mark
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: marka at isc.org
More information about the dns-operations
mailing list