Skip site navigation (1)Skip section navigation (2) 
Date:      Tue, 7 Jun 2011 21:33:30 +0000
From:      "Bjoern A. Zeeb" <bzeeb-lists@lists.zabbadoz.net>
To:        Michael Proto <mike@jellydonut.org>
Cc:        freebsd-pf@freebsd.org
Subject:   Re: IPv6 day, PF and IPv6 fragments
Message-ID:  <00EBAA07-0E65-49D0-A281-FF98DF6C98BA@lists.zabbadoz.net>
In-Reply-To: <BANLkTik=YyzTV7CAx9MOqapZF7o7Bzaibg@mail.gmail.com>
References:  <20110607195057.GA37735@in-addr.com> <BANLkTik=YyzTV7CAx9MOqapZF7o7Bzaibg@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help 
On Jun 7, 2011, at 9:03 PM, Michael Proto wrote:

> On Tue, Jun 7, 2011 at 3:50 PM, Gary Palmer <gpalmer@freebsd.org> =
wrote:
>> Hi,
>>=20
>> I noticed after running test-ipv6.com at home that I was getting
>>=20
>> 2011-06-07 20:35:55.588335 rule 279/0(match): block in on gif0: =
2001:4998:0:6::11 > <my IP>: frag (0|1424) 80 > 62594: . 0:1392(1392) =
ack 1 win 8211 <nop,nop,timestamp 3656890291 1004528553>
>> 2011-06-07 20:35:55.588521 rule 279/0(match): block in on gif0: =
2001:4998:0:6::11 > <my IP>: frag (1424|16)
>>=20
>> on my FreeBSD 7.3-RELEASE firewall.  "man pf.conf" says
>>=20
>>     Currently, only IPv4 fragments are supported and IPv6 fragments =
are
>>     blocked unconditionally.
>>=20
>> Is this correct?  If so, what is the correct way of getting IPv6 =
fragmented
>> packets through a pf firewall, or which version of FreeBSD introduces =
a PF
>> version that natively handles IPv6 fragments?
>>=20
>> Thanks,
>>=20
>> Gary
>=20
> Unless I'm mistaken, there shouldn't be any fragments for IPv6, at
> least nothing traversing IPv6-capable routers. MTU path-discovery is
> supposed to take care of that and any fragmentation is supposed to be
> done on the sending host once path-discovery determines the correct
> MTU.
>=20
> http://en.wikipedia.org/wiki/IPv6_packet#Fragmentation

Whatever they say and what you read.

There are fragments in IPv6 as well.  Indeed none fragments the packet
on the path but if I am going to write 32k of data to UDP you'll see
a lot of fragments no matter what.

Actually this is the most common frag6 source I am seeing -- large
DNS replies due to DNSsec, etc.

/bz

--=20
Bjoern A. Zeeb                                 You have to have visions!
         Stop bit received. Insert coin for new address family.

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?00EBAA07-0E65-49D0-A281-FF98DF6C98BA>