Extension headers and firewalls
S.P.Zeidler
spz at serpens.de
Mon Jul 23 00:00:27 CEST 2012
Thus wrote Brian E Carpenter (brian.e.carpenter at gmail.com):
> On 22/07/2012 17:08, Cameron Byrne wrote:
> > On Sun, Jul 22, 2012 at 12:55 AM, Brian E Carpenter
> > <brian.e.carpenter at gmail.com> wrote:
> >> hang on - Cameron's statement is ambiguous.
> >> Does it mean "firewalls blocking legal extension headers should be deprecated"
> >> or "hosts sending legal extension headers should be deprecated"?
> >>
> >
> > The latter.
> >
> > Per RFC 2460, firewalls and routers should not be processing extension
> > headers.
>
> Except for HbH options (which I think we can agree are a mistake)
> forwarding boxes are supposed to *ignore* extension headers. They
> aren't supposed to *discard* them.
Yet when a feature gets used as an attack vehicle, arguing that firewalls
should still ignore its presence is missing the point of firewalls.
Guidance how to handle them well might be more useful here.
regards,
spz
--
spz at serpens.de (S.P.Zeidler)
More information about the ipv6-ops
mailing list