[dns-operations] EDNS issue
Ben Scott
mailvortex at gmail.com
Tue Mar 1 20:48:00 UTC 2011
On Fri, Feb 25, 2011 at 8:07 PM, Rick Jones <rick.jones2 at hp.com> wrote:
>> There is also a security myth that fragmented IP packets are
>> dangerous.
>
> ... many stacks did not have a cap on how much memory could
> be consumed by IP fragment reassembly ...
There was also a time when there were many routers doing stateless
filtering on IP headers (because that's all those routers could handle
with good performance) as a "firewall". It was discovered that
fragmented datagrams would bypass such simple filters. This led to
many operators blocking fragments (as opposed to getting a better
filter).
FYI, FWIW, etc.
-- Ben
More information about the dns-operations
mailing list