Hi, Some folks have expressed (both on-list and off-list) that they would prefer a less agressive solution for the RA-Guard evasion vulnerability. So I'd like to hear comments about the possible alternatives..
The current I-Ds (draft-gont-6man-nd-extension-headers and draft-gont-v6ops-ra-guard-evasion) basically take this approach: * Prohibit use of extension headers in ND messages. A host implementation must not produce these packets, and must discard them if it receives them * This results in a RA-Guard implementation that is as simple as possible (it only has to look at the header following the fixed IPv6 header). A more relaxed approach would be as follows: * Extension headers are allowed with ND messages. * If the packet is fragmented, the upper-layer header (ICMPv6 in this case) must be present in the first fragment (i.e., hosts must not generate packets that violate this requirement, and must discard them if they receive them). * Possibly have the RA-Guard box enforce a limit on the maximum number of extension headers that it will process (e.g., if after jumping to the, say 10th header the upper-layer header is not found, drop the packet) * This approach is less aggressive than the one proposed in the aforementioned I-Ds (i.e., more flexibility), but of course would also mean that the RA-Guard implementation would need to follow the header chain, thus leading to increased complexity, and possible performance issues. Any comments/thoughts will be very much appreciated. Thanks! Best regards, -- Fernando Gont e-mail: ferna...@gont.com.ar || fg...@acm.org PGP Fingerprint: 7809 84F5 322E 45C7 F1C9 3945 96EE A9EF D076 FFF1 -------------------------------------------------------------------- IETF IPv6 working group mailing list ipv6@ietf.org Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6 --------------------------------------------------------------------
