On Mon, Aug 20, 2007 at 01:43:19PM -0700, Bob Hinden wrote: > We would like to get your comments on the following two choices: > > 1) Deprecate RH0 as specified in <draft-ietf-ipv6-deprecate-rh0-01.txt>.
I don't agree with all the details of this draft (particularly the language around firewall policy), but I believe deprecation to be the correct approach. Creating a situation where RH0 is /sometimes/ OK, without any way of knowing if the endpoints can handle it correctly, creates serious problems for network operators who value security over unrestricted end-to-end connectivity. > 2) Revising the draft to restrict the usage of RH0. This would continue to > require RH0 to be implemented but would restrict the functionality of RH0. > For example, require nodes to have support for RH0 turned off by default, > limit the number of RH0 headers in a packet to one, limit the number of > addresses in the RH0 to a smaller number (e.g., 6), and and a requirement > that addresses can only be in the header once. My understanding is that besides the requirement to disable RH0 by default these controls would be fairly difficult to implement efficiently in hardware. Such a draft would be either be unimplemented or ammount to mandating another DDoS mechanism on the slow path of core routers. -Ryan -------------------------------------------------------------------- IETF IPv6 working group mailing list ipv6@ietf.org Administrative Requests: https://www1.ietf.org/mailman/listinfo/ipv6 --------------------------------------------------------------------
