[USN-1661-1] Linux kernel vulnerability
Karl Auer
kauer at biplane.com.au
Wed Dec 12 00:07:43 UTC 2012
On Tue, 2012-12-11 at 09:38 -0800, Kristian Erik Hermansen wrote:
> OK. This may be a dumb question, but I thought IPv6 did away with
> fragmentation precisely to prevent such security issues. What happened here?
IPv6 did away with en route fragmentation, i.e., fragmentation by
routers along the path. However, fragmentation is still needed to deal
with varying MTUs along the path.
The difference with IPv6 is that all fragmentation is done at the
source, and all reassembly is done at the destination. There will be
interim devices that do reassembly for inspection purposes (firewalls,
IDS, IPS etc) but they are outside the protocol.
This makes path MTU discovery (PMTUD) much more important to IPv6 than
it was to IPv4.
Regards, K.
--
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Karl Auer (kauer at biplane.com.au)
http://www.biplane.com.au/kauer
http://www.biplane.com.au/blog
GPG fingerprint: AE1D 4868 6420 AD9A A698 5251 1699 7B78 4EEE 6017
Old fingerprint: DA41 51B1 1481 16E1 F7E2 B2E9 3007 14ED 5736 F687
More information about the ubuntu-users
mailing list