IPv6 packets with HBH
Brian E Carpenter
brian.e.carpenter at gmail.com
Fri Jul 18 22:02:47 CEST 2014
You-all might want to hop over to IETF-land to comment on
http://tools.ietf.org/html/draft-gont-opsec-ipv6-eh-filtering
Regards
Brian
On 19/07/2014 07:45, Yannis Nikolopoulos wrote:
> Eric,
>
> thanks for your comments
>
> On 07/09/2014 12:47 PM, Eric Vyncke (evyncke) wrote:
>> Yannis
>>
>> While I cannot speak for all vendors or even for all of my employer's
>> products, you will indeed find that control-plane policing (=
>> rate-limiting) is either on by default or can be configured on most
>> routers.
>>
>> Alternatively, you may want to use plain ACL to drop all those
>> potentially-harmful packets with HbH.
>>
>> You probably know that HbH is also used on the local link for MLD and on
>> the WAN for RSVP (and possibly for other purposes). So, be sure to
>> understand your own use before configuring drop/rate limiting ;-)
>>
>> Rate-limiting is really the way to go IMHO. A platform which processes
>> HbH
>> without rate-limiting (and there are such platforms) should NOT be
>> deployed on the wild Internet.
>
> maybe I should forward this last comment (with which I agree) to our
> local Cisco team ;)
>
> cheers,
> Yannis
>
>> Hope that this belated reply helps
>>
>> -éric
>>
>>
>> On 5/07/14 15:27, "Yannis Nikolopoulos" <dez at otenet.gr> wrote:
>>
>>> On 07/04/2014 11:43 PM, Brian E Carpenter wrote:
>>>> On 05/07/2014 04:05, Yannis Nikolopoulos wrote:
>>>>> hello,
>>>>>
>>>>> how do people handle packets with HBH present? Since their use is a
>>>>> potential attack vector, do people rate-limit them? I can't seem to
>>>>> find
>>>>> some sort of "best practice" on the issue
>>>> I have the impression that they are simply ignored in many cases.
>>>> That is simpler than rate-limiting. It is legal, because we reduced
>>>> the requirement to processing them to a SHOULD in RFC 7045:
>>>>
>>>> The IPv6 Hop-by-Hop Options header SHOULD be processed by
>>>> intermediate forwarding nodes as described in [RFC2460]. However,
>>>> it
>>>> is to be expected that high-performance routers will either ignore
>>>> it
>>>> or assign packets containing it to a slow processing path.
>>>> Designers
>>>> planning to use a hop-by-hop option need to be aware of this
>>>> likely
>>>> behaviour.
>>> That sounds fine and it would make our lives easier but...
>>>
>>> I'm note sure about other vendors, but it seems that Cisco boxes are
>>> processing those at each node, at least it seems that ASR9k and 7600 do
>>> (although there's the option to rate-limit them). CRS probably rate
>>> limit them by default but the info is quite scarce
>>>
>>> cheers
>>>
>>>> - Brian
>>>>
>>>>> cheers,
>>>>> Yannis
>>>>>
>
>
More information about the ipv6-ops
mailing list