On Jun 16, 2011, at 1:44 PM, Jean-Michel Combes wrote: > Hi Arturo, > > at first, thanks for your reply. > > 2011/6/16 Arturo Servin <[email protected]>: >> Jean-Michel, >> >> On 16 Jun 2011, at 14:13, Jean-Michel Combes wrote: >> > > [snip] > >>> >>> o draft-gont-6man-nd-extension-headers >>> >>> IMHO, this is not a good idea to forbid the use of IPv6 extension with >>> NDP messages, especially when the reason is partially based on >>> implementation issues (i.e. the implementation is not able to process >>> an IPv6 packet): today, there is no real use of Extension header with >>> NDP but, tomorrow, if we need such an use for a solution, what will >>> happen? >> >> See below >> >>> Regarding the fragmentation, is it not possible for the RA-Guard >>> device to reassemble the fragments and so to be able to check whether >>> this a RA message or not? >> >> It's possible, perhaps. But the trade-off is to much IMHO. Forcing a >> L2 device to inspect every packet and re-asemble them is unfeasible or too >> expensive (similar for a more intelligent device listening for every packet >> in the network looking for rogue RAs). The same for extension headers in >> NDP, we are not using it today, may be we will, but the trade-off to have it >> "just in case" is too much. >> > > Why is this unfeasible? Again an implementation issue? > Why is it too expensive? Memory issue? CPU issue? Something else?
it's expensive because you have to set them aside and re-assemble and nd is going to be reassembled in a control-plane processor, which leads to cases where the attacker deliberately maximizes the expense associated with doing so. > Best regards. > > JMC. > _______________________________________________ > v6ops mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/v6ops > -------------------------------------------------------------------- IETF IPv6 working group mailing list [email protected] Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6 --------------------------------------------------------------------
