[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Shim-header in every re-located packet [Re: Design decisions made at the interim SHIM6 WG meeting]

To: Iljitsch van Beijnum <iljitsch@muada.com>
Subject: Re: Shim-header in every re-located packet [Re: Design decisions made at the interim SHIM6 WG meeting]
From: Pekka Savola <pekkas@netcore.fi>
Date: Fri, 28 Oct 2005 19:34:07 +0300 (EEST)
Cc: shim6 <shim6@psg.com>
In-reply-to: <149B7426-1BB4-481B-8E21-2A8743C267B2@muada.com>
References: <6.2.0.14.2.20051019141040.02a44d08@kahuna.telstra.net> <41F269FF-548A-482D-93A9-A958D337EEA9@muada.com> <Pine.LNX.4.64.0510281245280.21479@netcore.fi> <ba2c17041e110720a9b4bd52389c807e@it.uc3m.es> <Pine.LNX.4.64.0510281333530.22300@netcore.fi> <1976F495-AE26-4D7A-A858-B179B58E8EF8@muada.com> <Pine.LNX.4.64.0510281457080.24084@netcore.fi> <591261D4-8BDF-4DC4-9119-AE5E3048EB8B@muada.com> <Pine.LNX.4.64.0510281509270.24597@netcore.fi> <149B7426-1BB4-481B-8E21-2A8743C267B2@muada.com>

On Fri, 28 Oct 2005, Iljitsch van Beijnum wrote:

1) Specifying such a rule is safe if it's known that the firewall wouldonly accept packets with a particular header type if there is no proceedingheader.
No header following the one that the firewall is looking at, you mean?
Well, if the firewall doesn't understand the shim header, how would it knowwhether other headers follow the shim header? (Next header field isn'tnecessarily in the same place in all headers. The prime example is ESP whereit actually follows the "next" header data.)
And if the firewall does understand the shim header, it can obviouslyinterpret the TCP/UDP/other header that follows so there is no reason for thefirewall to behave in the way you mentioned.

All the non-final extension headers except fragment header have thesame TLV format. At least one firewall implementor has stated to usethis logic, but I don't know if/how they differentiate "extensionheaders" and arbitrary data packets.

Even though this case was considered marginal enough we shouldevaluate whether requiring the use of an extension header is expectedto be useful enough.


--
Pekka Savola                 "You each name yourselves king, yet the
Netcore Oy                    kingdom bleeds."
Systems. Networks. Security. -- George R.R. Martin: A Clash of Kings

References:
- Design decisions made at the interim SHIM6 WG meeting
  - From: Geoff Huston <gih@apnic.net>
- Re: Design decisions made at the interim SHIM6 WG meeting
  - From: Iljitsch van Beijnum <iljitsch@muada.com>
- Re: Design decisions made at the interim SHIM6 WG meeting
  - From: Pekka Savola <pekkas@netcore.fi>
- Re: Design decisions made at the interim SHIM6 WG meeting
  - From: marcelo bagnulo braun <marcelo@it.uc3m.es>
- Re: Shim-header in every re-located packet [Re: Design decisions made at the interim SHIM6 WG meeting]
  - From: Pekka Savola <pekkas@netcore.fi>
- Re: Shim-header in every re-located packet [Re: Design decisions made at the interim SHIM6 WG meeting]
  - From: Iljitsch van Beijnum <iljitsch@muada.com>
- Re: Shim-header in every re-located packet [Re: Design decisions made at the interim SHIM6 WG meeting]
  - From: Pekka Savola <pekkas@netcore.fi>
- Re: Shim-header in every re-located packet [Re: Design decisions made at the interim SHIM6 WG meeting]
  - From: Iljitsch van Beijnum <iljitsch@muada.com>
- Re: Shim-header in every re-located packet [Re: Design decisions made at the interim SHIM6 WG meeting]
  - From: Pekka Savola <pekkas@netcore.fi>
- Re: Shim-header in every re-located packet [Re: Design decisions made at the interim SHIM6 WG meeting]
  - From: Iljitsch van Beijnum <iljitsch@muada.com>

Prev by Date: Re: Shim-header in every re-located packet [Re: Design decisions made at the interim SHIM6 WG meeting]
Next by Date: Re: Design decisions made at the interim SHIM6 WG meeting
Previous by thread: Re: Shim-header in every re-located packet [Re: Design decisions made at the interim SHIM6 WG meeting]
Next by thread: Re: Shim-header in every re-located packet [Re: Design decisions made at the interim SHIM6 WG meeting]
Index(es):
- Date
- Thread