[mprovost]

Yes but they were still seeing packets bigger than the MTU of Ethernet (or Sonet or whatever other layer 1/2 tech they're connected to the rest of the net with). It doesn't matter what higher level protocols can handle.

[bdonlan]

They could've been fragmented IPv6 packets. Or it could've been a bug in their profiler.

[pyvpx]

which is precisely why it seems like lunacy to roll out such an asinine firewall rule to every router. if there was ever a time to "spot check" a change, this was it.

they didn't. and they paid the price. good on 'em for the quick and honest post-mortem. regardless, it was a dumb move.

[cbsmith]

You are joking right? The packet size at the higher layer is what they were matching against. The size of the layer 2 packets is irrelevant.

[noselasd]

Maybe, but nothing in the the rule they showed hinted it was not at layer 3 (For IPv4 )

[cbsmith]

It is at layer 3. IPv6 is layer 3.

[noselasd]

If it was IPv6, I'd assume the routing rule on their blog contained IPv6 addreses, not IPv4 addresses, even if the blog faked the IP addresses.

[cbsmith]

Perhaps then you aren't aware that IPv6 stacks can reach IPv4 addresses, nor that IPv6 packets are a popular way to compromise systems that support both IPv6 and IPv4, because the IPv6 stacks are not as well hardened.