This archive is retained to ensure existing URLs remain functional. It will not contain any emails sent to this mailing list after July 1, 2024. For all messages, including those sent before and after this date, please visit the new location of the archive at https://mailman.ripe.net/archives/list/[email protected]/
[ipv6-wg] [v6ops] Extension Headers / Impact on Security Devices
- Previous message (by thread): [ipv6-wg] [v6ops] Extension Headers / Impact on Security Devices
- Next message (by thread): [ipv6-wg] [v6ops] Extension Headers / Impact on Security Devices
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Tore Anderson
tore at fud.no
Wed Jun 17 20:18:09 CEST 2015
* sthaug at nethelp.no > Back to IPv6: I might allow "interesting" IPv6 extension headers > within my own AS - because in such cases I have much more control. > There is no way I'm going to allow IPv6 packets with long chains of > "interesting" IPv6 header chains to pass my border routers. Either > they have short enough header chains that my border routers can > inspect the L4 info at line rate - or they get dropped. Hi Steinar, I wouldn't react to the above if you were operating an enterprise network, but considering you're an ISP and transit provider, I find the above rather surprising (and I do not mean that in a good way). First, your customers might have a perfectly valid reason to send or receive IPv6 headers with IPv6 extension header chains you apparantly will drop at your border. FWIW, if I found out that my upstream arbitrarily dropped packets because they found them "interesting", breaking my applications in the process, I would not remain a customer of theirs for long. Second, the packets might be encrypted using ESP. In that case, you have absolutely no way of knowing if the extension header chain is long enough to be "interesting enough to drop", or if the ESP header is the only extension header there is ("short enough to forward"). What do you do then? Third, your border routers obviously cannot inspect the L4 info in an ESP-encrypted packet at all, line rate or not. Does that mean you drop all ESP packets at your AS borders? I really hope not. Tore
- Previous message (by thread): [ipv6-wg] [v6ops] Extension Headers / Impact on Security Devices
- Next message (by thread): [ipv6-wg] [v6ops] Extension Headers / Impact on Security Devices
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
[ ipv6-wg Archives ]