Hi, Bob, On 06/11/2011 12:02 PM, Bob Hinden wrote: >> * Prohibit use of extension headers in ND messages. A host >> implementation must not produce these packets, and must discard >> them if it receives them * This results in a RA-Guard >> implementation that is as simple as possible (it only has to look >> at the header following the fixed IPv6 header). > > What is a use case where extension headers would be used in ND > (ICMPv6) messages?
I am told that AH could potentially be used with ND. Also, that some high-security sites might want to use CALIPSO with ND. And that there's always the possibility that somebody could come up with with an ND extension/feature that requires IPv6 extension headers. I personally think that when it comes to possible extensions to ND, most of them could be implemented with ND options (rather than extension headers). As for AH or CALIPSO, from my perspective (and if anything) I'd argue that the I-D could require that hosts include a configuration switch that can enable the processing of ND packets with extension headers (such configuration knob would default to "off/disable") -- i.e., for the general case (and by default), ND packets are not allowed to include IPv6 extension headers.. but if you have a specific scenario in which you'd need them (unlikely, from my perspective), you can override this policy such that they are accepted. > Same for Fragmentation? As far as I can tell from Pekka's note, at least radvd does not support fragmentation with ND. So the only *potential* use case is sending (probably insane) amounts of information in RAs -- but you can always send the same amount of information using multiple RAs. > I am having a hard time thinking of any, so I like your approach. I believe the approach currently outlined in the I-Ds keeps things simple and allows for simple RA-guard implementation and ND-monitoring tools like NDPMon. And that's the approach I would prefer to pursue. However, since some had brought up possible alternatives, I wanted others to weigh in. Thanks! Best regards, -- Fernando Gont e-mail: ferna...@gont.com.ar || fg...@acm.org PGP Fingerprint: 7809 84F5 322E 45C7 F1C9 3945 96EE A9EF D076 FFF1 -------------------------------------------------------------------- IETF IPv6 working group mailing list ipv6@ietf.org Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6 --------------------------------------------------------------------