Folks, I have just published a new Internet-Draft (draft-gont-6man-nd-extension-headers) entitled "Security Implications of the Use of IPv6 Extension Headers with IPv6 Neighbor Discovery".
The I-D is available at: http://tools.ietf.org/id/draft-gont-6man-nd-extension-headers-00.txt The Abstract of the I-D is: ---- cut here ---- IPv6 Extension Headers with Neighbor Discovery messages can be leveraged to circumvent simple local network protections, such as "Router Advertisement Guard". Since there is no legitimate use for IPv6 Extension Headers in Neighbor Discovery messages, and such use greatly complicates network monitoring and simple security mitigations such as RA-Guard, this document proposes that hosts silently ignore Neighbor Discovery messages that use IPv6 Extension Headers. ---- cut here ---- Note: A closely related (and just published) I-D is draft-gont-v6ops-ra-guard-evasion-00, which is aimed at the v6ops wg (rather than 6man). Any comments on any of these I-Ds will be very welcome. Thanks! Best regards, -- Fernando Gont e-mail: ferna...@gont.com.ar || fg...@acm.org PGP Fingerprint: 7809 84F5 322E 45C7 F1C9 3945 96EE A9EF D076 FFF1 -------------------------------------------------------------------- IETF IPv6 working group mailing list ipv6@ietf.org Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6 --------------------------------------------------------------------
