IPv6 packets with HBH
dez at otenet.gr
Fri Jul 18 21:45:20 CEST 2014
thanks for your comments
On 07/09/2014 12:47 PM, Eric Vyncke (evyncke) wrote:
> While I cannot speak for all vendors or even for all of my employer's
> products, you will indeed find that control-plane policing (=
> rate-limiting) is either on by default or can be configured on most
> Alternatively, you may want to use plain ACL to drop all those
> potentially-harmful packets with HbH.
> You probably know that HbH is also used on the local link for MLD and on
> the WAN for RSVP (and possibly for other purposes). So, be sure to
> understand your own use before configuring drop/rate limiting ;-)
> Rate-limiting is really the way to go IMHO. A platform which processes HbH
> without rate-limiting (and there are such platforms) should NOT be
> deployed on the wild Internet.
maybe I should forward this last comment (with which I agree) to our
local Cisco team ;)
> Hope that this belated reply helps
> On 5/07/14 15:27, "Yannis Nikolopoulos" <dez at otenet.gr> wrote:
>> On 07/04/2014 11:43 PM, Brian E Carpenter wrote:
>>> On 05/07/2014 04:05, Yannis Nikolopoulos wrote:
>>>> how do people handle packets with HBH present? Since their use is a
>>>> potential attack vector, do people rate-limit them? I can't seem to
>>>> some sort of "best practice" on the issue
>>> I have the impression that they are simply ignored in many cases.
>>> That is simpler than rate-limiting. It is legal, because we reduced
>>> the requirement to processing them to a SHOULD in RFC 7045:
>>> The IPv6 Hop-by-Hop Options header SHOULD be processed by
>>> intermediate forwarding nodes as described in [RFC2460]. However,
>>> is to be expected that high-performance routers will either ignore
>>> or assign packets containing it to a slow processing path.
>>> planning to use a hop-by-hop option need to be aware of this likely
>> That sounds fine and it would make our lives easier but...
>> I'm note sure about other vendors, but it seems that Cisco boxes are
>> processing those at each node, at least it seems that ASR9k and 7600 do
>> (although there's the option to rate-limit them). CRS probably rate
>> limit them by default but the info is quite scarce
>>> - Brian
More information about the ipv6-ops