[c-nsp] ACL to block udp/0?

Gert Doering gert at greenie.muc.de
Wed Dec 6 05:45:41 EST 2023


On Wed, Dec 06, 2023 at 09:00:58AM +0000, Dobbins, Roland wrote:
> On Dec 6, 2023, at 04:45, Gert Doering via cisco-nsp <cisco-nsp at puck.nether.net> wrote:
> > deny ipv4 any any fragments
> This is approach is generally contraindicated, as it tends to break EDNS0, & DNSSEC along with it.

I'd argue that the DNS folks recommend using EDNS0 with 1232 bytes, which
works just fine to avoid fragments...


... but of course you are right that unconditionally dropping all fragments
is not a recommended approach unless acutely under attack.

What we do here is exactly what you recommend - rate-limit fragments to
some 200Mbit/s per network ingress, which is ~50x the normal peak rate
of fragments seen, and closely monitor drop counts.

"If was one thing all people took for granted, was conviction that if you 
 feed honest figures into a computer, honest figures come out. Never doubted 
 it myself till I met a computer with a sense of humor."
                             Robert A. Heinlein, The Moon is a Harsh Mistress

Gert Doering - Munich, Germany                             gert at greenie.muc.de
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 630 bytes
Desc: not available
URL: <https://puck.nether.net/pipermail/cisco-nsp/attachments/20231206/91ff40da/attachment.sig>

More information about the cisco-nsp mailing list