Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
499
Views
0
Helpful
0
Replies

Fragmentation in Dual Stack Lite technology

David Platenka
Level 1
Level 1

‎01-29-2024 05:16 AM

Hello every one, I faced a problem when using DS-Lite that blew my mind. Up to now, I still cannot figure out why. So please help me explain this problem why client 1 cannnot ping the server successfully. There is the whole scenario (Fig. 1) below:

DavidPlatenka_0-1706532989798.png

In this laboratory scenario, I am an attacker in the ISP corework network (shown in Fig. 8):

DavidPlatenka_1-1706533135054.png

I sent a spoofed Packet Too Big from the attacker with source address (CPE1) and to the destination (AFTR) about the MTU (I set to 1280 bytes). My aim: CPE1 tells AFTR about the change of MTU in the next path (from AFTR to home network 1).

After that message, I tried Ping from client 1 to the server with data size 1400. And the Ping failed to get Reply. Client 1 generated a normal Request packet with 1400 bytes of Payload. I came through the DS-Lite tunnel (IPv4-in-IPv6) without any problem or fragmentation and reached the server. The server then replied with 1 Reply message (without fragmentation). When receiving the Reply message, AFTR then generated an Error message below. This message was decapsulated and reached the client.

DavidPlatenka_2-1706533779079.png

My question is why this problem happened? Why there was no fragmentation to make the Ping successful? Is this a typical problem of fragmentation when having IPv4-IPv6 transition. In IPv6, only source can fragment the packet so AFTR (as the router) cannot fragment this packet? How to solve this problem?

Labels:
0 Helpful
0 Replies 0
Customers Also Viewed These Support Documents