[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: filtering packets with unknown options

To: Pekka Savola <pekkas@netcore.fi>
Subject: Re: filtering packets with unknown options
From: Eric Vyncke <evyncke@cisco.com>
Date: Wed, 12 Jul 2006 19:13:38 +0200
Authentication-results: sj-dkim-4.cisco.com; header.From=evyncke@cisco.com; dkim=pass ( sig from cisco.com verified; );
Cc: Iljitsch van Beijnum <iljitsch@muada.com>, v6ops@ops.ietf.org
Dkim-signature: a=rsa-sha1; q=dns; l=1070; t=1152724427; x=1153588427; c=relaxed/simple; s=sjdkim4001; h=Content-Type:From:Subject:Content-Transfer-Encoding:MIME-Version; d=cisco.com; i=evyncke@cisco.com; z=From:Eric=20Vyncke=20<evyncke@cisco.com> |Subject:Re=3A=20filtering=20packets=20with=20unknown=20options; X=v=3Dcisco.com=3B=20h=3DE3jHNzvAfqlWjdeX2PcpgUWHFwI=3D; b=G2ir1kVrt4ZbR+oszdYpV2KhPNK1iNGimU3R80naeCtsssxUocTbPDbC0Yz507aYOh8eO7rq zFCBPzq9oHSKf+XVXSbB+AO7DRsSYRZfSc1y87wwPS84lap4Q5mazo7O;
In-reply-to: <Pine.LNX.4.64.0607121955510.3989@netcore.fi>
References: <909BFECF-2CDA-4092-B065-2CFBD12AA537@muada.com> <909BFECF-2CDA-4092-B065-2CFBD12AA537@muada.com>

At 19:58 12/07/2006 +0300, Pekka Savola wrote:
>On Wed, 12 Jul 2006, Iljitsch van Beijnum wrote:
>>There is of course the tiny detail of how to implement this. Firewalls do a lot of processing so it's not completely outside the realm of possibility to assume that they could remove extension headers, but routers certainly aren't going to do this.
>
>This has been a no-no in IPv6 design.  Intermediary devices do not add or remove options.  That might even be explicitly stated in RFC 2460.
>
>On the other end, FW _could_ send a parameter problem (or whatever) ICMP error about the packet, which could result in the host trying to send without the header (if the host included the logic to respond to failures to communicate with a header, which I'd assume they'd need to have in the future, e.g., with shim6).
>
>However, I suspect many FW admins prefer silent discard in this case. I personally have no strong preference.

And those FW admins will be right because this may end up in a reflection DoS attack ;-)


-éric

References:
- filtering packets with unknown options
  - From: Iljitsch van Beijnum <iljitsch@muada.com>
- Re: filtering packets with unknown options
  - From: Pekka Savola <pekkas@netcore.fi>

Prev by Date: Re: filtering packets with unknown options
Next by Date: Re: filtering packets with unknown options
Previous by thread: Re: filtering packets with unknown options
Next by thread: Re: filtering packets with unknown options
Index(es):
- Date
- Thread