Extension headers and firewalls

Brian E Carpenter brian.e.carpenter at gmail.com
Mon Jul 23 08:57:17 CEST 2012


On 22/07/2012 23:00, S.P.Zeidler wrote:
> Thus wrote Brian E Carpenter (brian.e.carpenter at gmail.com):
> 
>> On 22/07/2012 17:08, Cameron Byrne wrote:
>>> On Sun, Jul 22, 2012 at 12:55 AM, Brian E Carpenter
>>> <brian.e.carpenter at gmail.com> wrote:
>>>> hang on - Cameron's statement is ambiguous.
>>>> Does it mean "firewalls blocking legal extension headers should be deprecated"
>>>> or "hosts sending legal extension headers should be deprecated"?
>>>>
>>> The latter.
>>>
>>> Per RFC 2460, firewalls and routers should not be processing extension
>>> headers.  
>> Except for HbH options (which I think we can agree are a mistake)
>> forwarding boxes are supposed to *ignore* extension headers. They
>> aren't supposed to *discard* them.
> 
> Yet when a feature gets used as an attack vehicle, arguing that firewalls
> should still ignore its presence is missing the point of firewalls.
> 
> Guidance how to handle them well might be more useful here.

Yes indeed. To consider my own hobby-horse, blindly dropping all packets
containing shim6 headers is really bad. Dropping shim6 packets that do
not use the shim6 anti-spoofing security mechanism would be a reasonable
option in a security policy.

As Tore said: as long as this mechanism is needed, firewalls should
handle it correctly.

That seems clear enough for this mailing list - looks like some work
is needed in IETF-land.

    Brian



More information about the ipv6-ops mailing list