Date: Mon, 28 Apr 2008 14:31:31 +0200 From: Daniel Roethlisberger <daniel@roe.ch> To: freebsd-pf@freebsd.org Subject: IPv6: pf drops all fragments unconditionally Message-ID: <20080428123131.GA11879@hobbes.ustdmz.roe.ch>
next in thread | raw e-mail | index | archive | help
Inspired by the addition of IPv6 glue to the root zone and the various
IPv6 hours, I am in the process of IPv6 enabling systems and networks
under my control.
The only showstopper so far is the fact that pf unconditionally drops
all IPv6 fragmented packets, since IPv6 fragment reassembly is not
implemented yet. According to pf.conf(5):
Currently, only IPv4 fragments are supported and IPv6 fragments are
blocked unconditionally.
While I certainly agree with failing closed by default, not open, I'd
really like to be able to have my machines handle IPv6 fragments
properly, or for the time being, have some way to at least make the
``drop all fragments'' behaviour tunable without patching/recompiling.
I am aware that given PMTU discovery, fragmentation is less likely to
happen with IPv6 than with IPv4.
What is the state of full IPv6 fragment reassembly support? Is anybody
working on this, at FreeBSD or upstream? Is there a reason why fragment
reassembly is any harder to implement for IPv6 than for IPv4?
I don't think that pf is ready for IPv6 yet if it unconditionally drops
IPv6 fragments.
-Dan
--
Daniel Roethlisberger <daniel@roe.ch>
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20080428123131.GA11879>