block fragmentation overlapping with ip6tables

user1790995 asked:

I’m studying fragmentation on IPv6. I read about the fragmentation overlapping issue. Does anyone know if is possible, and if how to block this attack with ip6tables?


I answered:

IPv6 routers do not fragment packets. Ever.

IPv6 hosts may fragment packets, but are not allowed to send overlapping fragments. Since version 2.6.36, Linux always drops such fragments and gives up on the entire packet.

View the full question and answer on Server Fault.

Creative Commons License
This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.