IPv6 packets with HBH

Eric Vyncke (evyncke) evyncke at cisco.com
Wed Jul 9 11:47:27 CEST 2014 

Yannis

While I cannot speak for all vendors or even for all of my employer's
products, you will indeed find that control-plane policing (=
rate-limiting) is either on by default or can be configured on most
routers.

Alternatively, you may want to use plain ACL to drop all those
potentially-harmful packets with HbH.

You probably know that HbH is also used on the local link for MLD and on
the WAN for RSVP (and possibly for other purposes). So, be sure to
understand your own use before configuring drop/rate limiting ;-)

Rate-limiting is really the way to go IMHO. A platform which processes HbH
without rate-limiting (and there are such platforms) should NOT be
deployed on the wild Internet.

Hope that this belated reply helps

-éric


On 5/07/14 15:27, "Yannis Nikolopoulos" <dez at otenet.gr> wrote:

>On 07/04/2014 11:43 PM, Brian E Carpenter wrote:
>> On 05/07/2014 04:05, Yannis Nikolopoulos wrote:
>>> hello,
>>>
>>> how do people handle packets with HBH present? Since their use is a
>>> potential attack vector, do people rate-limit them? I can't seem to
>>>find
>>> some sort of "best practice" on the issue
>> I have the impression that they are simply ignored in many cases.
>> That is simpler than rate-limiting. It is legal, because we reduced
>> the requirement to processing them to a SHOULD in RFC 7045:
>>
>>     The IPv6 Hop-by-Hop Options header SHOULD be processed by
>>     intermediate forwarding nodes as described in [RFC2460].  However,
>>it
>>     is to be expected that high-performance routers will either ignore
>>it
>>     or assign packets containing it to a slow processing path.
>>Designers
>>     planning to use a hop-by-hop option need to be aware of this likely
>>     behaviour.
>That sounds fine and it would make our lives easier but...
>
>I'm note sure about other vendors, but it seems that Cisco boxes are
>processing those at each node, at least it seems that ASR9k and 7600 do
>(although there's the option to rate-limit them). CRS probably rate
>limit them by default but the info is quite scarce
>
>cheers
>
>>
>>   - Brian
>>
>>> cheers,
>>> Yannis
>>>
>

More information about the ipv6-ops mailing list