Re: IPv6 packets with HBH

2014-08-11 Thread Ole Troan
Erik, > On 11 August 2014 18:33, Yannis Nikolopoulos wrote: > On 08/07/2014 03:05 PM, Ole Troan wrote: > advice with regards to HBH headers. assuming there isn't any feature enabled > that uses HBH. on a platform that supports forwarding of packets with HBH > without punting, forward. for platf

Re: IPv6 packets with HBH

2014-08-11 Thread Eric Vyncke (evyncke)
r>>, IPv6 Ops list mailto:ipv6-ops@lists.cluenet.de>> Subject: Re: IPv6 packets with HBH On 11 August 2014 18:33, Yannis Nikolopoulos mailto:d...@otenet.gr>> wrote: On 08/07/2014 03:05 PM, Ole Troan wrote: advice with regards to HBH headers. assuming there isn't any feature e

Re: IPv6 packets with HBH

2014-08-11 Thread Yannis Nikolopoulos
On 08/07/2014 03:05 PM, Ole Troan wrote: advice with regards to HBH headers. assuming there isn't any feature enabled that uses HBH. on a platform that supports forwarding of packets with HBH without punting, forward. for platforms that do punt regardless, drop. cheers, Ole sound advice, chee

Re: IPv6 packets with HBH

2014-08-07 Thread Fernando Gont
On 08/07/2014 08:05 AM, Ole Troan wrote: > >>> how do people handle packets with HBH present? Since their use is >>> a potential attack vector, do people rate-limit them? I can't >>> seem to find some sort of "best practice" on the issue >> >> This is the current state of affairs on the public IP

Re: AAAA records (was: Re: IPv6 packets with HBH)

2014-08-07 Thread Eric Vyncke (evyncke)
Jens I am sure that you know about the numerous statistics in a related way on: https://www.vyncke.org/ipv6status or http://6lab.cisco.com/stats and many others ;-) And, if you want to test your extension header (actually only testing the routing header one): https://www.vyncke.org/sr.php -éric

Re: IPv6 packets with HBH

2014-08-07 Thread Ole Troan
Fernando, >> how do people handle packets with HBH present? Since their use is a >> potential attack vector, do people rate-limit them? I can't seem to find >> some sort of "best practice" on the issue > > This is the current state of affairs on the public IPv6 Internet: >

AAAA records (was: Re: IPv6 packets with HBH)

2014-08-07 Thread Jens Link
Fernando Gont writes: Hi, > This is the current state of affairs on the public IPv6 Internet: > After reading slide 7 I decided to take a closer look at those "funny" IPv6 addresses. I used host to get AAA

Re: IPv6 packets with HBH

2014-08-07 Thread Fernando Gont
Hi, Yannis, On 07/04/2014 12:05 PM, Yannis Nikolopoulos wrote: > > how do people handle packets with HBH present? Since their use is a > potential attack vector, do people rate-limit them? I can't seem to find > some sort of "best practice" on the issue This is the current state of affairs on th

Re: IPv6 packets with HBH

2014-07-18 Thread Brian E Carpenter
You-all might want to hop over to IETF-land to comment on http://tools.ietf.org/html/draft-gont-opsec-ipv6-eh-filtering Regards Brian On 19/07/2014 07:45, Yannis Nikolopoulos wrote: > Eric, > > thanks for your comments > > On 07/09/2014 12:47 PM, Eric Vyncke (evyncke) wrote: >> Yannis >> >>

Re: IPv6 packets with HBH

2014-07-18 Thread Yannis Nikolopoulos
Eric, thanks for your comments On 07/09/2014 12:47 PM, Eric Vyncke (evyncke) wrote: Yannis While I cannot speak for all vendors or even for all of my employer's products, you will indeed find that control-plane policing (= rate-limiting) is either on by default or can be configured on most rou

Re: IPv6 packets with HBH

2014-07-09 Thread Eric Vyncke (evyncke)
Yannis While I cannot speak for all vendors or even for all of my employer's products, you will indeed find that control-plane policing (= rate-limiting) is either on by default or can be configured on most routers. Alternatively, you may want to use plain ACL to drop all those potentially-harmfu

Re: IPv6 packets with HBH

2014-07-05 Thread Brian E Carpenter
On 06/07/2014 01:27, Yannis Nikolopoulos wrote: > On 07/04/2014 11:43 PM, Brian E Carpenter wrote: >> On 05/07/2014 04:05, Yannis Nikolopoulos wrote: >>> hello, >>> >>> how do people handle packets with HBH present? Since their use is a >>> potential attack vector, do people rate-limit them? I can'

Re: IPv6 packets with HBH

2014-07-05 Thread Yannis Nikolopoulos
On 07/04/2014 11:43 PM, Brian E Carpenter wrote: On 05/07/2014 04:05, Yannis Nikolopoulos wrote: hello, how do people handle packets with HBH present? Since their use is a potential attack vector, do people rate-limit them? I can't seem to find some sort of "best practice" on the issue I have

Re: IPv6 packets with HBH

2014-07-04 Thread Brian E Carpenter
On 05/07/2014 04:05, Yannis Nikolopoulos wrote: > hello, > > how do people handle packets with HBH present? Since their use is a > potential attack vector, do people rate-limit them? I can't seem to find > some sort of "best practice" on the issue I have the impression that they are simply ignore

IPv6 packets with HBH

2014-07-04 Thread Yannis Nikolopoulos
hello, how do people handle packets with HBH present? Since their use is a potential attack vector, do people rate-limit them? I can't seem to find some sort of "best practice" on the issue cheers, Yannis