This archive is retained to ensure existing URLs remain functional. It will not contain any emails sent to this mailing list after July 1, 2024. For all messages, including those sent before and after this date, please visit the new location of the archive at https://mailman.ripe.net/archives/list/[email protected]/
[ipv6-wg] [v6ops] Extension Headers / Impact on Security Devices
- Previous message (by thread): [ipv6-wg] [v6ops] Extension Headers / Impact on Security Devices
- Next message (by thread): [ipv6-wg] [v6ops] Extension Headers / Impact on Security Devices
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
sthaug at nethelp.no
sthaug at nethelp.no
Thu Jun 18 08:53:56 CEST 2015
> > Yes, we're aware of RFC7112. It's just: no OS we know and no devices we're aware of (feel free to provide pointers) implement RFC 7112 as of today. > > No, it's too new. But I suggest that it gives you license to drop packets > with fragmented header chains, and tell anyone who complains that they > don't conform to the IPv6 standard. It may be relevant to ask for RFC 7112 support next time we're doing an equipment RFQ (in a few years). > > but many attack tools implement the techniques mentioned above. Which is why quite some operators (in particular, but not only) from enterprise and managed service provider/cloud space drop all EHs except, maybe, AH+ESP. > > Whereas dropping *all* EHs breaks the IPv6 standard. Obviously. But until RFC 7112 support is available, I believe we will see a significant amount of breakage for IPv6 extension headers - and header chains will be limited to significantly less than 1280 bytes. > EHs as an extension mechanism are *not* innovation. They've been in the design > for 20 years. I'm actually with Fred on this: it's time for the hardware > designers to step up. With RFC 7112, we've told them that the maximum packet > size they need to parse is 1280 (after removing tunneling overhead). IPv6 extension header processing is sufficiently complex that I'm not at all sure that "time for the hardware designers to step up" will be enough. My prediction is that we'll see security alerts from hardware manufacturers for many years to come, due to the complexity. Steinar Haug, AS 2116
- Previous message (by thread): [ipv6-wg] [v6ops] Extension Headers / Impact on Security Devices
- Next message (by thread): [ipv6-wg] [v6ops] Extension Headers / Impact on Security Devices
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
[ ipv6-wg Archives ]