Nalini Elkins wrote: > >>> Some tricky and potentially malicious cases will be avoided by > forbidding very long chains of extension headers that need to be > >>> fragmented [I-D.ietf-6man-oversized-header-chain]. > > > > I wonder if this is the place to define "very long"? > > >> I guess those two words can be deleted - the issue is only that the > header chain gets fragmented at all. The full discussion is in the > cited draft, of course. > > I know the draft that you have cited and they do not define "long" > either. There has been quite a bit of discussion about what "long" > means and IMHO somewhere, someone needs to take some kind of > reasonable stand. > Actually IMHO ietf-6man-oversized-header-chain DOES define "unusually long" very accurately.
I-D.ietf-6man-oversized-header-chain requires that "the first fragment of a fragmented datagram is required to contain the entire IPv6 header chain" So in other words, any packet parsing engine should be prepared to examine an entire single frame up to the MTU of the local egress interface, but should not be expected to maintain any state across multiple fragments. We might also benefit operationally from setting an additional limit on the length of the hop hop option header, which is theoretically meant to be processed by routers along the path. However, my guess is that is well beyond the author's original intentions for draft-ietf-6man-oversized-header-chain-02, which was more focussed on firewalls. > > >>The IETF hasn't done much about firewalls at all. This > search produces far more expired drafts than anything else: > >> https://datatracker.ietf.org/doc/search/?name=firewalls&rfcs=on&activeDrafts=on&oldDrafts=on&search_submit= > <https://datatracker.ietf.org/doc/search/?name=firewalls&rfcs=on&activeDrafts=on&oldDrafts=on&search_submit=> > > The reason I asked is because I think defining RFCs or rules for > firewalls is a really good thing to do but if the vendors are not in > the habit of having to be compliant, then why would they pay attention > to this draft that we are discussing? I actually think maybe an RFC > which explicitly talks about firewalls is probably a good thing to do. > Now, getting vendors to comply... > > Thanks, > > Nalini Elkins > Inside Products, Inc. > (831) 659-8360 > www.insidethestack.com > -------------------------------------------------------------------- IETF IPv6 working group mailing list ipv6@ietf.org Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6 --------------------------------------------------------------------
