On 1/19/14, 9:05 AM, Saku Ytti wrote: > On (2014-01-19 16:11 +0000), Nick Hilliard wrote: > >> attacks for hardware-forwarded routers, so generally the only sensible >> option is to drop packets with long EH chains. > > I think sensible is to handle HW when possible and punt rate-limited when > must. Dropping standard compliant data seems dubious at best.
There are routers and switches that by design have no recourse to a software forwarding path. It doesn't make a lot of sense to have device that has a nominal capacity of several Tb/s attempt to punt packets up to a control-plane processor that's gig-e connected. > Now should it be standard complaint? > > http://tools.ietf.org/html/draft-ietf-6man-oversized-header-chain-09 is > looking to restrict EH more, I contacted authors, hoping even more limitation > than what it currently suggests, they thought 6man would never accept as > strict limits as I suggested. > My suggestion is that IP + EH (not L4) SHOULD NOT span over 128B and > implementation MAY drop frames with larger headers. > >
signature.asc
Description: OpenPGP digital signature
