Re: filtering packets with unknown options

[Iljitsch van Beijnum <iljitsch@muada.com>]

On 12-jul-2006, at 15:05, Joe Abley wrote:

> > An alternative would be to set the contents of the option to all  
> > zero bits, this should be easier to implement than removing the  
> > header from the packet.

> For clarity, I presume you mean set the option type in each TLV the  
> firewall is unhappy about (in all options extension headers that  
> might be present) to zero ("skip this option").

Right, although "TLV" isn't exactly a given.

> It all still smells a bit nasty, though.

It is not a very pretty solution, but the alternative is that it will  
be extremely hard to the point of almost being impossible to deploy  
new "stuff" on the internet. Point in case is the "partial ECN" or  
something very similar that I can't find any reference to right now.  
The idea is to steal the last unused bit in the IPv4 header to extend  
the ECN semantics (the "evil" bit...) but IPv6 doesn't have this bit  
so that means an extra header, either a new one or a new option in  
the destination options header, I forget which. With firewalls  
filtering this out, this means a many-year uphill battle before this  
can be deployed.