IPv6 packets with HBH

Brian E Carpenter brian.e.carpenter at gmail.com
Sat Jul 5 22:18:32 CEST 2014

On 06/07/2014 01:27, Yannis Nikolopoulos wrote:
> On 07/04/2014 11:43 PM, Brian E Carpenter wrote:
>> On 05/07/2014 04:05, Yannis Nikolopoulos wrote:
>>> hello,
>>> how do people handle packets with HBH present? Since their use is a
>>> potential attack vector, do people rate-limit them? I can't seem to find
>>> some sort of "best practice" on the issue
>> I have the impression that they are simply ignored in many cases.
>> That is simpler than rate-limiting. It is legal, because we reduced
>> the requirement to processing them to a SHOULD in RFC 7045:
>>     The IPv6 Hop-by-Hop Options header SHOULD be processed by
>>     intermediate forwarding nodes as described in [RFC2460].  However, it
>>     is to be expected that high-performance routers will either ignore it
>>     or assign packets containing it to a slow processing path.  Designers
>>     planning to use a hop-by-hop option need to be aware of this likely
>>     behaviour.
> That sounds fine and it would make our lives easier but...
> I'm note sure about other vendors, but it seems that Cisco boxes are
> processing those at each node, at least it seems that ASR9k and 7600 do
> (although there's the option to rate-limit them). CRS probably rate
> limit them by default but the info is quite scarce

It's for router vendors to comment, but the RFC is very recent so
it will be a while before we can expect products to be changed.
If everybody makes a feature request to their vendors along the
lines of "option to disable HBH processing as allowed by RFC 7045"
something might happen.


More information about the ipv6-ops mailing list