IPv6 packets with HBH
Brian E Carpenter
brian.e.carpenter at gmail.com
Sat Jul 5 22:18:32 CEST 2014
On 06/07/2014 01:27, Yannis Nikolopoulos wrote:
> On 07/04/2014 11:43 PM, Brian E Carpenter wrote:
>> On 05/07/2014 04:05, Yannis Nikolopoulos wrote:
>>> hello,
>>>
>>> how do people handle packets with HBH present? Since their use is a
>>> potential attack vector, do people rate-limit them? I can't seem to find
>>> some sort of "best practice" on the issue
>> I have the impression that they are simply ignored in many cases.
>> That is simpler than rate-limiting. It is legal, because we reduced
>> the requirement to processing them to a SHOULD in RFC 7045:
>>
>> The IPv6 Hop-by-Hop Options header SHOULD be processed by
>> intermediate forwarding nodes as described in [RFC2460]. However, it
>> is to be expected that high-performance routers will either ignore it
>> or assign packets containing it to a slow processing path. Designers
>> planning to use a hop-by-hop option need to be aware of this likely
>> behaviour.
> That sounds fine and it would make our lives easier but...
>
> I'm note sure about other vendors, but it seems that Cisco boxes are
> processing those at each node, at least it seems that ASR9k and 7600 do
> (although there's the option to rate-limit them). CRS probably rate
> limit them by default but the info is quite scarce
It's for router vendors to comment, but the RFC is very recent so
it will be a while before we can expect products to be changed.
If everybody makes a feature request to their vendors along the
lines of "option to disable HBH processing as allowed by RFC 7045"
something might happen.
Brian
More information about the ipv6-ops
mailing list