IPv6 packets with HBH

Yannis Nikolopoulos dez at otenet.gr
Fri Jul 18 21:45:20 CEST 2014


thanks for your comments

On 07/09/2014 12:47 PM, Eric Vyncke (evyncke) wrote:
> Yannis
> While I cannot speak for all vendors or even for all of my employer's
> products, you will indeed find that control-plane policing (=
> rate-limiting) is either on by default or can be configured on most
> routers.
> Alternatively, you may want to use plain ACL to drop all those
> potentially-harmful packets with HbH.
> You probably know that HbH is also used on the local link for MLD and on
> the WAN for RSVP (and possibly for other purposes). So, be sure to
> understand your own use before configuring drop/rate limiting ;-)
> Rate-limiting is really the way to go IMHO. A platform which processes HbH
> without rate-limiting (and there are such platforms) should NOT be
> deployed on the wild Internet.

maybe I should forward this last comment (with which I agree) to our 
local Cisco team ;)


> Hope that this belated reply helps
> -éric
> On 5/07/14 15:27, "Yannis Nikolopoulos" <dez at otenet.gr> wrote:
>> On 07/04/2014 11:43 PM, Brian E Carpenter wrote:
>>> On 05/07/2014 04:05, Yannis Nikolopoulos wrote:
>>>> hello,
>>>> how do people handle packets with HBH present? Since their use is a
>>>> potential attack vector, do people rate-limit them? I can't seem to
>>>> find
>>>> some sort of "best practice" on the issue
>>> I have the impression that they are simply ignored in many cases.
>>> That is simpler than rate-limiting. It is legal, because we reduced
>>> the requirement to processing them to a SHOULD in RFC 7045:
>>>      The IPv6 Hop-by-Hop Options header SHOULD be processed by
>>>      intermediate forwarding nodes as described in [RFC2460].  However,
>>> it
>>>      is to be expected that high-performance routers will either ignore
>>> it
>>>      or assign packets containing it to a slow processing path.
>>> Designers
>>>      planning to use a hop-by-hop option need to be aware of this likely
>>>      behaviour.
>> That sounds fine and it would make our lives easier but...
>> I'm note sure about other vendors, but it seems that Cisco boxes are
>> processing those at each node, at least it seems that ASR9k and 7600 do
>> (although there's the option to rate-limit them). CRS probably rate
>> limit them by default but the info is quite scarce
>> cheers
>>>    - Brian
>>>> cheers,
>>>> Yannis

More information about the ipv6-ops mailing list