From mboxrd@z Thu Jan  1 00:00:00 1970
From: Stephen Hemminger <stephen@networkplumber.org>
Subject: Re: [PATCH v2 net-next 1/3] ip: discard IPv4 datagrams with
 overlapping segments.
Date: Thu, 2 Aug 2018 17:09:35 -0700
Message-ID: <20180802170935.7ff9e4cb@xeon-e3>
References: <20180802233439.51643-1-posk@google.com>
        <20180802233439.51643-2-posk@google.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
Cc: David Miller <davem@davemloft.net>, netdev@vger.kernel.org,
        Eric Dumazet <edumazet@google.com>,
        Florian Westphal <fw@strlen.de>
To: Peter Oskolkov <posk@google.com>
Return-path: <netdev-owner@vger.kernel.org>
Received: from mail-pg1-f194.google.com ([209.85.215.194]:33005 "EHLO
        mail-pg1-f194.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1727302AbeHCCDP (ORCPT
        <rfc822;netdev@vger.kernel.org>); Thu, 2 Aug 2018 22:03:15 -0400
Received: by mail-pg1-f194.google.com with SMTP id r5-v6so1981347pgv.0
        for <netdev@vger.kernel.org>; Thu, 02 Aug 2018 17:09:42 -0700 (PDT)
In-Reply-To: <20180802233439.51643-2-posk@google.com>
Sender: netdev-owner@vger.kernel.org
List-ID: <netdev.vger.kernel.org>

On Thu,  2 Aug 2018 23:34:37 +0000
Peter Oskolkov <posk@google.com> wrote:

> This behavior is required in IPv6, and there is little need
> to tolerate overlapping fragments in IPv4. This change
> simplifies the code and eliminates potential DDoS attack vectors.
> 
> Tested: ran ip_defrag selftest (not yet available uptream).
> 
> Suggested-by: David S. Miller <davem@davemloft.net>
> Signed-off-by: Peter Oskolkov <posk@google.com>
> Signed-off-by: Eric Dumazet <edumazet@google.com>
> Cc: Florian Westphal <fw@strlen.de>

There are a couple of relevant RFC's

RFC 1858 - Security Considerations for IP Fragment Filtering
RFC 2460 - Handling of Overlapping IPv6 Fragments

Acked-by: Stephen Hemminger <stephen@networkplumber.org>