Hi, Brian, On 07/14/2014 12:29 AM, Brian E Carpenter wrote: >> 2.3.1.5. Advice >> >> >> Intermediate systems should, by default, drop packets containing a >> IPv6 Hop-by-Hop Option Extension Header. > > You can't say that! Firstly, RFC 7045 makes it permissible to > simply ignore them. That's the simplest DoS defence. Secondly, > well, dropping them is the wrong default because it breaks stuff. > You could discuss whether to inspect them for valid contents, and > you could discuss rate-limiting, which I understand some vendors > support already.
Does this look reasonable: ---- cut here ---- The recommended configuration for the processing of these packets depends on the features and capabilities of the underlying platform. On platforms that allow forwarding of packets with HBH Options on the fast path, we recommend that packets with HBH be forwarded as normal (for instance, [RFC7045] allows for implementations to ignore the HBH Options extension header when forwarding packets). Otherwise, on platforms where processing of packets with IPv6 HBH Options is carried out in the slow path, and an option is provided to rate-limit these packets, we recommend that this option is selected. Finally, when packets with HBH Options are processed in the slow-path, and the underlying platform does not have any mitigation options available for attacks based on these packets, we recommend that such platforms drop packets containing IPv6 HBH Options. Those intermediate systems processing the contents of this extension header should drop packets that contain more than one instance of the Router Alert option (see [RFC2711]). Finally, we note that, for obvious reasons, RPL routers must not drop packets based on the presence of an IPv6 Hop-by-Hop Option Extension Header. ---- cut here ---- ? Thanks! Best regards, -- Fernando Gont e-mail: [email protected] || [email protected] PGP Fingerprint: 7809 84F5 322E 45C7 F1C9 3945 96EE A9EF D076 FFF1 _______________________________________________ OPSEC mailing list [email protected] https://www.ietf.org/mailman/listinfo/opsec
