[ipv6-wg] [v6ops] Extension Headers / Impact on Security Devices

* sthaug at nethelp.no

> Back to IPv6: I might allow "interesting" IPv6 extension headers
> within my own AS - because in such cases I have much more control.
> There is no way I'm going to allow IPv6 packets with long chains of
> "interesting" IPv6 header chains to pass my border routers. Either
> they have short enough header chains that my border routers can
> inspect the L4 info at line rate - or they get dropped.

Hi Steinar,

I wouldn't react to the above if you were operating an enterprise
network, but considering you're an ISP and transit provider, I find the
above rather surprising (and I do not mean that in a good way).

First, your customers might have a perfectly valid reason to send or
receive IPv6 headers with IPv6 extension header chains you apparantly
will drop at your border. FWIW, if I found out that my upstream
arbitrarily dropped packets because they found them "interesting",
breaking my applications in the process, I would not remain a customer
of theirs for long.

Second, the packets might be encrypted using ESP. In that case, you
have absolutely no way of knowing if the extension header chain is long
enough to be "interesting enough to drop", or if the ESP header is the
only extension header there is ("short enough to forward"). What do you
do then?

Third, your border routers obviously cannot inspect the L4 info in an
ESP-encrypted packet at all, line rate or not. Does that mean you drop
all ESP packets at your AS borders? I really hope not.

Tore