[dns-operations] EDNS issue

Mark Andrews marka at isc.org
Sat Feb 26 01:45:02 UTC 2011


In message <1298682440.14113.240.camel at tardy>, Rick Jones writes:
> On Fri, 2011-02-25 at 16:00 +1100, Mark Andrews wrote:
> > There is this security myth that you can run a IP network without
> > letting through fragmented IP packets.  This has never been the
> > case.  There is also a security myth that fragmented IP packets are
> > dangerous.  They aren't.  
> 
> Well... there tends to be a bit of truth, however outdated, to
> some/many/most myths. 
> 
> If one  goes back far enough in time, and one does have to go back a
> considerable length of time, many stacks did not have a cap on how much
> memory could be consumed by IP fragment reassembly, and they tended to
> have relatively long reassembly timeouts (order of small number of
> minutes).  Of course that little, overly-trusting oversight has been
> corrected for years.

Decades ago and didn't require all fragments to be dropped, just
to those with broken IP stacks.  It's not like there weren't lossy
links back then.

Mark
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka at isc.org



More information about the dns-operations mailing list