Extension headers and firewalls
Merike Kaeo
merike at doubleshotsecurity.com
Mon Jul 23 00:17:52 CEST 2012
On Jul 22, 2012, at 3:00 PM, S.P.Zeidler wrote:
> Thus wrote Brian E Carpenter (brian.e.carpenter at gmail.com):
>
>> On 22/07/2012 17:08, Cameron Byrne wrote:
>>> On Sun, Jul 22, 2012 at 12:55 AM, Brian E Carpenter
>>> <brian.e.carpenter at gmail.com> wrote:
>>>> hang on - Cameron's statement is ambiguous.
>>>> Does it mean "firewalls blocking legal extension headers should be deprecated"
>>>> or "hosts sending legal extension headers should be deprecated"?
>>>>
>>>
>>> The latter.
>>>
>>> Per RFC 2460, firewalls and routers should not be processing extension
>>> headers.
>>
>> Except for HbH options (which I think we can agree are a mistake)
>> forwarding boxes are supposed to *ignore* extension headers. They
>> aren't supposed to *discard* them.
>
> Yet when a feature gets used as an attack vehicle, arguing that firewalls
> should still ignore its presence is missing the point of firewalls.
>
> Guidance how to handle them well might be more useful here.
+1
not to mention the RH-Type0 filtering which most routers had incorporated
I struggle with wanting a clean end-to-end model but having capability of catching malware as close to source as possible.
- merike
More information about the ipv6-ops
mailing list