[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

filtering packets with unknown options

To: v6ops@ops.ietf.org
Subject: filtering packets with unknown options
From: Iljitsch van Beijnum <iljitsch@muada.com>
Date: Wed, 12 Jul 2006 11:33:27 -0400

After thinking about this a little more, it occurs to me that thecorrect behavior in cases where an unknown option is encountered andthe security environment is such that this is deemed undesireable, isto drop the OPTION, not the packet.


This way, new stuff can be deployed without problems.

There is of course the tiny detail of how to implement this.Firewalls do a lot of processing so it's not completely outside therealm of possibility to assume that they could remove extensionheaders, but routers certainly aren't going to do this.

An alternative would be to set the contents of the option to all zerobits, this should be easier to implement than removing the headerfrom the packet.


Thoughts?

Follow-Ups:
- Re: filtering packets with unknown options
  - From: Joe Abley <jabley@ca.afilias.info>
- Re: filtering packets with unknown options
  - From: Fred Baker <fred@cisco.com>
- Re: filtering packets with unknown options
  - From: Pekka Savola <pekkas@netcore.fi>

Prev by Date: Re: draft-narten-ipv6-3177bis-48boundary-02.txt
Next by Date: Re: filtering packets with unknown options
Previous by thread: Remove tunnel mode from ipsec-tunnels-02?
Next by thread: Re: filtering packets with unknown options
Index(es):
- Date
- Thread