[dns-operations] EDNS issue

Ben Scott mailvortex at gmail.com
Tue Mar 1 20:48:00 UTC 2011


On Fri, Feb 25, 2011 at 8:07 PM, Rick Jones <rick.jones2 at hp.com> wrote:
>> There is also a security myth that fragmented IP packets are
>> dangerous.
>
> ... many stacks did not have a cap on how much memory could
> be consumed by IP fragment reassembly ...

  There was also a time when there were many routers doing stateless
filtering on IP headers (because that's all those routers could handle
with good performance) as a "firewall".  It was discovered that
fragmented datagrams would bypass such simple filters.  This led to
many operators blocking fragments (as opposed to getting a better
filter).

  FYI, FWIW, etc.

-- Ben



More information about the dns-operations mailing list