You-all might want to hop over to IETF-land to comment on http://tools.ietf.org/html/draft-gont-opsec-ipv6-eh-filtering
Regards Brian On 19/07/2014 07:45, Yannis Nikolopoulos wrote: > Eric, > > thanks for your comments > > On 07/09/2014 12:47 PM, Eric Vyncke (evyncke) wrote: >> Yannis >> >> While I cannot speak for all vendors or even for all of my employer's >> products, you will indeed find that control-plane policing (= >> rate-limiting) is either on by default or can be configured on most >> routers. >> >> Alternatively, you may want to use plain ACL to drop all those >> potentially-harmful packets with HbH. >> >> You probably know that HbH is also used on the local link for MLD and on >> the WAN for RSVP (and possibly for other purposes). So, be sure to >> understand your own use before configuring drop/rate limiting ;-) >> >> Rate-limiting is really the way to go IMHO. A platform which processes >> HbH >> without rate-limiting (and there are such platforms) should NOT be >> deployed on the wild Internet. > > maybe I should forward this last comment (with which I agree) to our > local Cisco team ;) > > cheers, > Yannis > >> Hope that this belated reply helps >> >> -éric >> >> >> On 5/07/14 15:27, "Yannis Nikolopoulos" <[email protected]> wrote: >> >>> On 07/04/2014 11:43 PM, Brian E Carpenter wrote: >>>> On 05/07/2014 04:05, Yannis Nikolopoulos wrote: >>>>> hello, >>>>> >>>>> how do people handle packets with HBH present? Since their use is a >>>>> potential attack vector, do people rate-limit them? I can't seem to >>>>> find >>>>> some sort of "best practice" on the issue >>>> I have the impression that they are simply ignored in many cases. >>>> That is simpler than rate-limiting. It is legal, because we reduced >>>> the requirement to processing them to a SHOULD in RFC 7045: >>>> >>>> The IPv6 Hop-by-Hop Options header SHOULD be processed by >>>> intermediate forwarding nodes as described in [RFC2460]. However, >>>> it >>>> is to be expected that high-performance routers will either ignore >>>> it >>>> or assign packets containing it to a slow processing path. >>>> Designers >>>> planning to use a hop-by-hop option need to be aware of this >>>> likely >>>> behaviour. >>> That sounds fine and it would make our lives easier but... >>> >>> I'm note sure about other vendors, but it seems that Cisco boxes are >>> processing those at each node, at least it seems that ASR9k and 7600 do >>> (although there's the option to rate-limit them). CRS probably rate >>> limit them by default but the info is quite scarce >>> >>> cheers >>> >>>> - Brian >>>> >>>>> cheers, >>>>> Yannis >>>>> > >
