Extension headers and firewalls
Brian E Carpenter
brian.e.carpenter at gmail.com
Mon Jul 23 08:57:17 CEST 2012
On 22/07/2012 23:00, S.P.Zeidler wrote:
> Thus wrote Brian E Carpenter (brian.e.carpenter at gmail.com):
>
>> On 22/07/2012 17:08, Cameron Byrne wrote:
>>> On Sun, Jul 22, 2012 at 12:55 AM, Brian E Carpenter
>>> <brian.e.carpenter at gmail.com> wrote:
>>>> hang on - Cameron's statement is ambiguous.
>>>> Does it mean "firewalls blocking legal extension headers should be deprecated"
>>>> or "hosts sending legal extension headers should be deprecated"?
>>>>
>>> The latter.
>>>
>>> Per RFC 2460, firewalls and routers should not be processing extension
>>> headers.
>> Except for HbH options (which I think we can agree are a mistake)
>> forwarding boxes are supposed to *ignore* extension headers. They
>> aren't supposed to *discard* them.
>
> Yet when a feature gets used as an attack vehicle, arguing that firewalls
> should still ignore its presence is missing the point of firewalls.
>
> Guidance how to handle them well might be more useful here.
Yes indeed. To consider my own hobby-horse, blindly dropping all packets
containing shim6 headers is really bad. Dropping shim6 packets that do
not use the shim6 anti-spoofing security mechanism would be a reasonable
option in a security policy.
As Tore said: as long as this mechanism is needed, firewalls should
handle it correctly.
That seems clear enough for this mailing list - looks like some work
is needed in IETF-land.
Brian
More information about the ipv6-ops
mailing list