On Thu, 10 Dec 2009 09:39:33 +0100, Jonas Thambert wrote:
I have an IPv6 over IPv4 connection. I once had two, one using a hexago
tunnel and the other I still have using a Hurricane Electric one.
I have never had a problem connecting through OpenBSD with a pf
firewall to native IPv6 sites like Google's v6 or the hosts on the /32
IPv6 netblock I maintain using an OpenBSD / OpenBGPd router.
Maybe I'm just lucky. I'm a bit confused as to why packets need to be
fragmented on IPv6 other than to play DDOS games. Nobody needs packets
bigger than the specified minumum (1280B) and the usual problem is a
PMTUD blackhole anyway.
Don't you just love all those cretins that block all ICMP packets on
IPv4? They can stuff up IPv6 too.
There is some advice about debugging this kind of problem in van
Beijnum's "Running IPv6". Try starting with that or finding out why
there are oversized packets there anyway.
The real fly in the ointment is the stupid way one can frag packets
madly in IPv6 with mayhem in mind. *
If you want to allow reassembly you have to figure out what to do about
mailicious frags which can exhaust your RAM quite easily.
* See http://www.ruxcon.org.au/files/2006/dowd_ipv6.ppt
I'm too tired to reread this to see if it all makes sense but if I left
it until I was fresher I'd have forgotten to reply ;-) Hope you can get
some good out of it ???????
Regards,
*** NOTE *** Please DO NOT CC me. I <am> subscribed to the list.
Mail to the sender address that does not originate at the list server is tarpitted. The reply-to: address is provided for those who feel compelled to reply off list. Thankyou.
Rod/
---
This life is not the real thing.
It is not even in Beta.
If it was, then OpenBSD would already have a man page for it.
