On Thu, 2 Aug 2018 23:34:37 +0000 Peter Oskolkov <[email protected]> wrote:
> This behavior is required in IPv6, and there is little need > to tolerate overlapping fragments in IPv4. This change > simplifies the code and eliminates potential DDoS attack vectors. > > Tested: ran ip_defrag selftest (not yet available uptream). > > Suggested-by: David S. Miller <[email protected]> > Signed-off-by: Peter Oskolkov <[email protected]> > Signed-off-by: Eric Dumazet <[email protected]> > Cc: Florian Westphal <[email protected]> There are a couple of relevant RFC's RFC 1858 - Security Considerations for IP Fragment Filtering RFC 2460 - Handling of Overlapping IPv6 Fragments Acked-by: Stephen Hemminger <[email protected]>
