[ipv6-wg] [v6ops] Extension Headers / Impact on Security Devices

> > Yes, we're aware of RFC7112. It's just: no OS we know and no devices we're aware of (feel free to provide pointers) implement RFC 7112 as of today. 
> 
> No, it's too new. But I suggest that it gives you license to drop packets
> with fragmented header chains, and tell anyone who complains that they
> don't conform to the IPv6 standard.

It may be relevant to ask for RFC 7112 support next time we're doing
an equipment RFQ (in a few years).

> > but many attack tools implement the techniques mentioned above. Which is why quite some operators (in particular, but not only) from enterprise and managed service provider/cloud space drop all EHs except, maybe, AH+ESP.
> 
> Whereas dropping *all* EHs breaks the IPv6 standard.

Obviously. But until RFC 7112 support is available, I believe we will
see a significant amount of breakage for IPv6 extension headers - and
header chains will be limited to significantly less than 1280 bytes.

> EHs as an extension mechanism are *not* innovation. They've been in the design
> for 20 years. I'm actually with Fred on this: it's time for the hardware
> designers to step up. With RFC 7112, we've told them that the maximum packet
> size they need to parse is 1280 (after removing tunneling overhead).

IPv6 extension header processing is sufficiently complex that I'm not
at all sure that "time for the hardware designers to step up" will be
enough. My prediction is that we'll see security alerts from hardware
manufacturers for many years to come, due to the complexity.

Steinar Haug, AS 2116