On 07/04/2014 11:43 PM, Brian E Carpenter wrote:
On 05/07/2014 04:05, Yannis Nikolopoulos wrote:
hello,
how do people handle packets with HBH present? Since their use is a
potential attack vector, do people rate-limit them? I can't seem to find
some sort of "best practice" on the issue
I have the impression that they are simply ignored in many cases.
That is simpler than rate-limiting. It is legal, because we reduced
the requirement to processing them to a SHOULD in RFC 7045:
The IPv6 Hop-by-Hop Options header SHOULD be processed by
intermediate forwarding nodes as described in [RFC2460]. However, it
is to be expected that high-performance routers will either ignore it
or assign packets containing it to a slow processing path. Designers
planning to use a hop-by-hop option need to be aware of this likely
behaviour.
That sounds fine and it would make our lives easier but...
I'm note sure about other vendors, but it seems that Cisco boxes are
processing those at each node, at least it seems that ASR9k and 7600 do
(although there's the option to rate-limit them). CRS probably rate
limit them by default but the info is quite scarce
cheers
- Brian
cheers,
Yannis
