Hi, all,
I'm including INTAREA in the discussion because this doc seems to be an
end-run around intending to deprecate IPv6 HBH options, or at least to
redefine the option behavior bits defined in RFC 2460. IMO, that ought
to be addressed in INTAREA, not V6OPS.
IMO, the real DOS attack here is twofold:
1) vendors who misrepresent their boxes as IPv6-capable
at a given packet rate
2) documents, such as this,
that invert the Postel Principle into the Gont Principle:
- Postel Principle:
Be conservative in what you send
and liberal in what you receive.
- Gont Principle:
Be paranoid in what you receive.
Just because you receive something you didn't expect, does NOT make it
an attack.
I sincerely hope there are others who share this view, or we might as
well just go straight to the conclusion that IPv6 routers that can't
process 128-bit addresses really ought to be OK just forwarding based on
the last 32.
Joe
On 7/15/2014 5:44 PM, Fernando Gont wrote:
On 07/15/2014 09:36 PM, Joe Touch wrote:
On 7/15/2014 5:08 PM, Brian E Carpenter wrote:
The problem with both of these great inventions is that a single
box on the path that takes the "drop" option breaks everything,
whereas "ignore" at least provides best effort service and
protects against any specific attack on the middlebox.
As far as the destination host goes, HbH can't be any more
dangerous than a destination option.
IPv6 already indicates - inside the option type - what to do if an
option isn't supported.
Why is honoring that set of flags not the only correct behavior?
Because, with the world as we know it, that ends up killing performance
-- with the corresponding implications (DoS) in extreme cases.
Cheers,
_______________________________________________
Int-area mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/int-area
