Inspired by the addition of IPv6 glue to the root zone and
the various
IPv6 hours, I am in the process of IPv6 enabling systems and
networks
under my control.
The only showstopper so far is the fact that pf
unconditionally drops
all IPv6 fragmented packets, since IPv6 fragment reassembly
is not
implemented yet. According to pf.conf(5):
Currently, only IPv4 fragments are supported and IPv6
fragments are
blocked unconditionally.
While I certainly agree with failing closed by default, not
open, I'd
really like to be able to have my machines handle IPv6
fragments
properly, or for the time being, have some way to at least
make the
``drop all fragments'' behaviour tunable without
patching/recompiling.
I am aware that given PMTU discovery, fragmentation is less
likely to
happen with IPv6 than with IPv4.
What is the state of full IPv6 fragment reassembly support?
Is anybody
working on this, at FreeBSD or upstream? Is there a reason
why fragment
reassembly is any harder to implement for IPv6 than for
IPv4?
I don't think that pf is ready for IPv6 yet if it
unconditionally drops
IPv6 fragments.
-Dan
--
Daniel Roethlisberger <daniel roe.ch>
_______________________________________________
freebsd-pffreebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-pf
To unsubscribe, send any mail to
"freebsd-pf-unsubscribefreebsd.org"
|
