Fernando, On Jun 11, 2011, at 12:51 AM, Fernando Gont wrote:
> Hi, > > Some folks have expressed (both on-list and off-list) that they would > prefer a less agressive solution for the RA-Guard evasion vulnerability. > So I'd like to hear comments about the possible alternatives.. > > The current I-Ds (draft-gont-6man-nd-extension-headers and > draft-gont-v6ops-ra-guard-evasion) basically take this approach: > > * Prohibit use of extension headers in ND messages. A host > implementation must not produce these packets, and must discard them if > it receives them > * This results in a RA-Guard implementation that is as simple as > possible (it only has to look at the header following the fixed IPv6 > header). What is a use case where extension headers would be used in ND (ICMPv6) messages? Same for Fragmentation? I am having a hard time thinking of any, so I like your approach. Unless I am missing something. Thanks, Bob > > > A more relaxed approach would be as follows: > * Extension headers are allowed with ND messages. > * If the packet is fragmented, the upper-layer header (ICMPv6 in this > case) must be present in the first fragment (i.e., hosts must not > generate packets that violate this requirement, and must discard them if > they receive them). > * Possibly have the RA-Guard box enforce a limit on the maximum number > of extension headers that it will process (e.g., if after jumping to > the, say 10th header the upper-layer header is not found, drop the packet) > * This approach is less aggressive than the one proposed in the > aforementioned I-Ds (i.e., more flexibility), but of course would also > mean that the RA-Guard implementation would need to follow the header > chain, thus leading to increased complexity, and possible performance > issues. > > Any comments/thoughts will be very much appreciated. > > Thanks! > > Best regards, > -- > Fernando Gont > e-mail: [email protected] || [email protected] > PGP Fingerprint: 7809 84F5 322E 45C7 F1C9 3945 96EE A9EF D076 FFF1 > > > > _______________________________________________ > v6ops mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/v6ops -------------------------------------------------------------------- IETF IPv6 working group mailing list [email protected] Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6 --------------------------------------------------------------------
