On 06/07/2014 01:27, Yannis Nikolopoulos wrote: > On 07/04/2014 11:43 PM, Brian E Carpenter wrote: >> On 05/07/2014 04:05, Yannis Nikolopoulos wrote: >>> hello, >>> >>> how do people handle packets with HBH present? Since their use is a >>> potential attack vector, do people rate-limit them? I can't seem to find >>> some sort of "best practice" on the issue >> I have the impression that they are simply ignored in many cases. >> That is simpler than rate-limiting. It is legal, because we reduced >> the requirement to processing them to a SHOULD in RFC 7045: >> >> The IPv6 Hop-by-Hop Options header SHOULD be processed by >> intermediate forwarding nodes as described in [RFC2460]. However, it >> is to be expected that high-performance routers will either ignore it >> or assign packets containing it to a slow processing path. Designers >> planning to use a hop-by-hop option need to be aware of this likely >> behaviour. > That sounds fine and it would make our lives easier but... > > I'm note sure about other vendors, but it seems that Cisco boxes are > processing those at each node, at least it seems that ASR9k and 7600 do > (although there's the option to rate-limit them). CRS probably rate > limit them by default but the info is quite scarce
It's for router vendors to comment, but the RFC is very recent so it will be a while before we can expect products to be changed. If everybody makes a feature request to their vendors along the lines of "option to disable HBH processing as allowed by RFC 7045" something might happen. Brian