[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: filtering packets with unknown options



At 19:58 12/07/2006 +0300, Pekka Savola wrote:
>On Wed, 12 Jul 2006, Iljitsch van Beijnum wrote:
>>There is of course the tiny detail of how to implement this. Firewalls do a lot of processing so it's not completely outside the realm of possibility to assume that they could remove extension headers, but routers certainly aren't going to do this.
>
>This has been a no-no in IPv6 design.  Intermediary devices do not add or remove options.  That might even be explicitly stated in RFC 2460.
>
>On the other end, FW _could_ send a parameter problem (or whatever) ICMP error about the packet, which could result in the host trying to send without the header (if the host included the logic to respond to failures to communicate with a header, which I'd assume they'd need to have in the future, e.g., with shim6).
>
>However, I suspect many FW admins prefer silent discard in this case. I personally have no strong preference.

And those FW admins will be right because this may end up in a reflection DoS attack ;-)


-éric