ipv6 fragment reassembling

Here is a great article about ipv6 fragment handling.


The article concludes by point out that it looks like the IETF is converging on RFCs that forbid overlapping fragments which should make fragment reassembly much clearer for us. Current operating systems are of course all over the map in terms of what they actually support of course. :slight_smile:


I don't get what all this fuss is about. IPv4 has exactly the same issues.

Even with a "standard" way of handling overlaps the IDS has no way of knowing if the monitored systems actually implement the standard correctly. So you are still in the same position you were before. And if it's not fragments that you can still have overlapping TCP segments, TTL-tuning, hiding ports in subsequent fragments, etc., etc.)


Yeah, that's right. In particular given that this is a recent change.
What we could see is if overlapping fragements are rare enough that
it's worth alarming on.