On Jun 11, 2013, at 5:50 AM, Jared Mauch <ja...@puck.nether.net> wrote:
> > On Jun 11, 2013, at 12:23 AM, cb.list6 <cb.li...@gmail.com> wrote: > >> I believe Warren's data hints at the idea that the packets will vanish if >> they don't fit a very specific profile. Yup. > > Very likely… > > Anything beyond the ability of my device to filter poses a security risk. Also yup. And the deployability of things like extension headers is influenced by operator's default-deny / filtering policy. If the IPv6 stack on a host knows that the traffic is local to a link (like link-local :-)) it has a high likelihood of being able to ship any old thing (including EH) to other hosts - most folk don't filter on L2. As soon as the traffic is destined for a different subnet the stack has no (easy) way of knowing if the traffic is likely to hit a filter[0] -- this makes it "dangerous" for it to assume that it can insert headers into the packet, and so it should assume that such packets will be dropped. The obvious exception to this is things explicitly configured, like ESP -- I assume (with my v4 hat!) that most things I try to connect to will drop IPSec, except VPN servers, which has specific rules to allow allow it. If you are using IPv6 ESP / AH to encrypt traffic to something that is expecting it (like a VPN widget) you can probably expect that there are explicit terms in the filters to allow it. There is also a human on the end to debug things if it doesn't work right - if you click the "Make a VPN!!!!" button [1] and nothing happens you can call someone and shout till they fix it :-P W [0]: Well, the host stack could probe by sending packets with and without EH and only use them if they seem to work. This implies that the actual extensions are not critical though. [1]: or site-to-site VPN, etc. > > Example from 2008 of operators turning off header processing: > > http://www.gossamer-threads.com/lists/nsp/juniper/15066 > > - Jared > -------------------------------------------------------------------- > IETF IPv6 working group mailing list > ipv6@ietf.org > Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6 > -------------------------------------------------------------------- > -- After you'd known Christine for any length of time, you found yourself fighting a desire to look into her ear to see if you could spot daylight coming the other way. -- (Terry Pratchett, Maskerade) -------------------------------------------------------------------- IETF IPv6 working group mailing list ipv6@ietf.org Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6 --------------------------------------------------------------------
