In your letter dated Fri, 10 Jun 2011 18:51:12 -0300 you wrote: >A more relaxed approach would be as follows: >* Extension headers are allowed with ND messages. >* If the packet is fragmented, the upper-layer header (ICMPv6 in this >case) must be present in the first fragment (i.e., hosts must not >generate packets that violate this requirement, and must discard them if >they receive them). >* Possibly have the RA-Guard box enforce a limit on the maximum number >of extension headers that it will process (e.g., if after jumping to >the, say 10th header the upper-layer header is not found, drop the packet) >* This approach is less aggressive than the one proposed in the >aforementioned I-Ds (i.e., more flexibility), but of course would also >mean that the RA-Guard implementation would need to follow the header >chain, thus leading to increased complexity, and possible performance >issues.
Strikes me as a bad tradeoff. This requires all L2 switches to parse IPv6 extension headers at wire speed. So, some of them will get it wrong. And the only benefit menioned in the discussion so far is the need to send RAs large enough that they need to be fragmented. Another benefit would be that you don't have to change host software. -------------------------------------------------------------------- IETF IPv6 working group mailing list ipv6@ietf.org Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6 --------------------------------------------------------------------
