Extension headers and firewalls

Brian E Carpenter brian.e.carpenter at gmail.com
Sat Aug 11 09:26:13 CEST 2012

On 10/08/2012 21:17, Florian Weimer wrote:
> * Cameron Byrne:
>> Per RFC 2460, firewalls and routers should not be processing extension
>> headers.
> Per RFC 2460, firewalls and routers should not look at port numbers
> and other upper-layer protocol data.  RFC 2460 (and the whole IPv6
> header design) optimizes for a use case that does not exist anymore,
> software-based forwarding strictly according to destination address.

Of course it exists. There are forwarding boxes that look at more
than the destination address, but they are by no means the only
forwarding boxes in the Internet.

> Deprecating extension headers is one way forward, except that DNSSEC
> needs fragmentation.

And a whole set of other exceptions. Even abolishing fragmentation,
which would be wonderful, would not be enough.

I agree this is a problem area, but your solution is not realistic.


More information about the ipv6-ops mailing list