Ole Troan wrote on 27/11/2018 08:28:
A very unfortunate consequence of this work, is that the IETF appears
to send a message that routers in the Internet is now expected to
parse deep into packets and perform filtering actions. That’s a big
change of the Internet architecture, and our view of layering.
quite the opposite: parsing deep inside packets has been a prerequisite
of ipv6 EHs from the beginning and a serious row-back from this position
was previously standardised in rfc7112. At least this puts us in a
position that routers now only need to inspect a single packet to
determine the full ipv6 header chain - previously you would have had to
inspect all subsequent fragments too, which created the requirement for
core devices to track packet state.
In practice, most routers will inspect a specific distance - hardware
dependent - into a packet and will ignore anything following that.
There's really no point building silicon which will do arbitrary length
inspection because you end up optimising your hardware for corner cases.
Nick
_______________________________________________
OPSEC mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/opsec
