[dns-operations] EDNS with IPv4 and IPv6 (DNSSEC or large answers)
chk at pobox.com
Sat Sep 13 14:47:50 UTC 2014
On 13 September 2014 06:24, Roland Dobbins <rdobbins at arbor.net> wrote:
> No. IP fragmentation is a normal part of TCP/IP communications across the
> Internet. It isn't something to actively wish for, but it's perfectly
Google "Fragmentation Considered Harmful" - nothing significant has changed
in the decades that have passed. I still wouldn't turn it off, but there
are issues you should be aware of.
> Yes, allow it; there's no security issue. This is a myth originating with
> clueless vendors in the mid-1990s, and propagated today Confused
> Information Systems Security Professionals (CISSPs) and their ilk.
In the 1990s fragmentation-based attacks against IP stacks were very real,
it took a long time for vendors to fix their stacks completely, and longer
to get fixes deployed; we didn't have the "patch everything monthly"
culture firmly established yet.
I agree that I wouldn't worry too much about the *security* of IP
fragmentation today, but back then it was not a myth.
[ get off my lawn ;) ]
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the dns-operations