Hi Fernando,
Yes, that works for me. Maybe you need a reference for the
RPL exception.
Thanks
Brian
On 12/08/2014 23:45, Fernando Gont wrote:
> Hi, Brian,
>
> On 07/14/2014 12:29 AM, Brian E Carpenter wrote:
>>> 2.3.1.5. Advice
>>>
>>>
>>> Intermediate systems should, by default, drop packets containing a
>>> IPv6 Hop-by-Hop Option Extension Header.
>> You can't say that! Firstly, RFC 7045 makes it permissible to
>> simply ignore them. That's the simplest DoS defence. Secondly,
>> well, dropping them is the wrong default because it breaks stuff.
>> You could discuss whether to inspect them for valid contents, and
>> you could discuss rate-limiting, which I understand some vendors
>> support already.
>
> Does this look reasonable:
>
> ---- cut here ----
> The recommended configuration for the processing of these packets
> depends on the features and capabilities of the underlying platform. On
> platforms that allow forwarding of packets with HBH Options on the fast
> path, we recommend that packets with HBH be forwarded as normal (for
> instance, [RFC7045] allows for implementations to ignore the HBH Options
> extension header when forwarding packets). Otherwise, on platforms where
> processing of packets with IPv6 HBH Options is carried out in the slow
> path, and an option is provided to rate-limit these packets, we
> recommend that this option is selected. Finally, when packets with HBH
> Options are processed in the slow-path, and the underlying platform does
> not have any mitigation options available for attacks based on these
> packets, we recommend that such platforms drop packets containing IPv6
> HBH Options.
>
> Those intermediate systems processing the contents of this extension
> header should drop packets that contain more than one instance of the
> Router Alert option (see [RFC2711]).
>
> Finally, we note that, for obvious reasons, RPL routers must not drop
> packets based on the presence of an IPv6 Hop-by-Hop Option Extension Header.
> ---- cut here ----
>
> ?
>
> Thanks!
>
> Best regards,
_______________________________________________
OPSEC mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/opsec
