IPv6 packets with HBH

Yannis Nikolopoulos dez at otenet.gr
Sat Jul 5 15:27:47 CEST 2014


On 07/04/2014 11:43 PM, Brian E Carpenter wrote:
> On 05/07/2014 04:05, Yannis Nikolopoulos wrote:
>> hello,
>>
>> how do people handle packets with HBH present? Since their use is a
>> potential attack vector, do people rate-limit them? I can't seem to find
>> some sort of "best practice" on the issue
> I have the impression that they are simply ignored in many cases.
> That is simpler than rate-limiting. It is legal, because we reduced
> the requirement to processing them to a SHOULD in RFC 7045:
>
>     The IPv6 Hop-by-Hop Options header SHOULD be processed by
>     intermediate forwarding nodes as described in [RFC2460].  However, it
>     is to be expected that high-performance routers will either ignore it
>     or assign packets containing it to a slow processing path.  Designers
>     planning to use a hop-by-hop option need to be aware of this likely
>     behaviour.
That sounds fine and it would make our lives easier but...

I'm note sure about other vendors, but it seems that Cisco boxes are 
processing those at each node, at least it seems that ASR9k and 7600 do 
(although there's the option to rate-limit them). CRS probably rate 
limit them by default but the info is quite scarce

cheers

>
>   - Brian
>
>> cheers,
>> Yannis
>>




More information about the ipv6-ops mailing list