Re: filtering packets with unknown options

[Pekka Savola <pekkas@netcore.fi>]

On Wed, 12 Jul 2006, Iljitsch van Beijnum wrote:
> There is of course the tiny detail of how to implement this. Firewalls do a 
> lot of processing so it's not completely outside the realm of possibility to 
> assume that they could remove extension headers, but routers certainly aren't 
> going to do this.

This has been a no-no in IPv6 design.  Intermediary devices do not add 
or remove options.  That might even be explicitly stated in RFC 2460.

On the other end, FW _could_ send a parameter problem (or whatever) 
ICMP error about the packet, which could result in the host trying to 
send without the header (if the host included the logic to respond to 
failures to communicate with a header, which I'd assume they'd need to 
have in the future, e.g., with shim6).

However, I suspect many FW admins prefer silent discard in this case. 
I personally have no strong preference.

--
Pekka Savola                 "You each name yourselves king, yet the
Netcore Oy                    kingdom bleeds."
Systems. Networks. Security. -- George R.R. Martin: A Clash of Kings