On 06/11/2011 05:09 AM, Philip Homburg wrote: >> * Possibly have the RA-Guard box enforce a limit on the maximum number >> of extension headers that it will process (e.g., if after jumping to >> the, say 10th header the upper-layer header is not found, drop the packet) >> * This approach is less aggressive than the one proposed in the >> aforementioned I-Ds (i.e., more flexibility), but of course would also >> mean that the RA-Guard implementation would need to follow the header >> chain, thus leading to increased complexity, and possible performance >> issues. > > Strikes me as a bad tradeoff. This requires all L2 switches to parse IPv6 > extension headers at wire speed. So, some of them will get it wrong.
+1 > And the only benefit menioned in the discussion so far is the need to send > RAs large enough that they need to be fragmented. Actually, you can get the same benefit with no fragmentation: just send multiple RAs. > Another benefit would be that you don't have to change host software. I think that, in practice, this is less of an issue. In may cases, this could be an automatic "security update". In others, the hosts may be connected to networks that do not yet support v6, and by the time v6 is deployed on these networks, the corresponding OSes will have already been updated/upgraded. Thanks! Best regards, -- Fernando Gont e-mail: [email protected] || [email protected] PGP Fingerprint: 7809 84F5 322E 45C7 F1C9 3945 96EE A9EF D076 FFF1 -------------------------------------------------------------------- IETF IPv6 working group mailing list [email protected] Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6 --------------------------------------------------------------------
