On 22 Jun 2011, at 07:15 , Mikael Abrahamsson wrote: > On Wed, 22 Jun 2011, RJ Atkinson wrote: >> It absolutely is an implementation issue -- specifically it is >> a "quality of implementation" issue, not a complexity issue. > > I feel that there should be guidance regarding this in the SAVI > documentation, even if this is only a pointer to another document > that describes how to parse an IPv6 packet.
That seems useful to me. > Just the same way that it's "obvious" that anyone can spoof RAs > on a flat L2 lan, it's "obvious" that fragmentation and headers > can make parsing actual payload harder and needs to be handled. > These two "obvious" have historically been overlooked numerous times. As the 17th June 2011 note I pointed to earlier today, but did not repeat in its entirety, observed: A) the "Fragmentation Header" is clearly a security risk, so banning that makes sense. B) packet re-assembly can be expensive in (memory footprint, computation). C) the "Routing Header" better not be in an ND packet in any case, since ND packets are supposedly link-local, and therefore not applicable for any ND packet, so banning that makes sense. That same note pointed out that the above analysis is NOT true for selected other IPv6 Extension Headers (i.e. the ones that might actually be useful with ND), for example: 1) Hop-by-Hop Options header, which safely and trivially can be parsed past by a L2 device just implementing an RA Guard 2) Destination Options header, which also safely and trivially can be parsed past by a L2 device just implementing an RA Guard. > Just the same way describing how to do SAVI L2.5 functionality to solve > different security implications needs to be done to provide guidance > to vendors, I also feel that they need to be helped to handle fragmentation > attacks. That also sounds useful to me. Cheers, Ran -------------------------------------------------------------------- IETF IPv6 working group mailing list ipv6@ietf.org Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6 --------------------------------------------------------------------
