Extension headers and firewalls

Merike Kaeo merike at doubleshotsecurity.com
Mon Jul 23 00:17:52 CEST 2012


On Jul 22, 2012, at 3:00 PM, S.P.Zeidler wrote:

> Thus wrote Brian E Carpenter (brian.e.carpenter at gmail.com):
> 
>> On 22/07/2012 17:08, Cameron Byrne wrote:
>>> On Sun, Jul 22, 2012 at 12:55 AM, Brian E Carpenter
>>> <brian.e.carpenter at gmail.com> wrote:
>>>> hang on - Cameron's statement is ambiguous.
>>>> Does it mean "firewalls blocking legal extension headers should be deprecated"
>>>> or "hosts sending legal extension headers should be deprecated"?
>>>> 
>>> 
>>> The latter.
>>> 
>>> Per RFC 2460, firewalls and routers should not be processing extension
>>> headers.  
>> 
>> Except for HbH options (which I think we can agree are a mistake)
>> forwarding boxes are supposed to *ignore* extension headers. They
>> aren't supposed to *discard* them.
> 
> Yet when a feature gets used as an attack vehicle, arguing that firewalls
> should still ignore its presence is missing the point of firewalls.
> 
> Guidance how to handle them well might be more useful here.

+1

not to mention the RH-Type0 filtering which most routers had incorporated

I struggle with wanting a clean end-to-end model but having capability of catching malware as close to source as possible.

- merike


More information about the ipv6-ops mailing list