From: Sowmini Varadhan <sowmini.varadhan@oracle.com>
To: Hannes Frederic Sowa <hannes@stressinduktion.org>
Cc: Tom Herbert <tom@herbertland.com>,
Linux Kernel Network Developers <netdev@vger.kernel.org>,
Hideaki YOSHIFUJI <yoshfuji@linux-ipv6.org>
Subject: Re: IPv6 extension header privileges
Date: Fri, 20 May 2016 21:56:04 -0400 [thread overview]
Message-ID: <20160521015604.GD2452@oracle.com> (raw)
In-Reply-To: <1e22f140-920e-0d1c-4a43-03780fb380a8@stressinduktion.org>
On (05/21/16 02:20), Hannes Frederic Sowa wrote:
>
> There are some options inherently protocol depending like the jumbo
> payload option, which should be under control of the kernel, or the
> router alert option for igmp, which causes packets to be steered towards
> the slow/software path of routers, which can be used for DoS attacks.
>
> Setting CALIPSO options in IPv6 on packets as users would defeat the
> whole CALIPSO model, etc.
>
> The RFC3542 requires at least some of the options in dst/hop-by-hop
"requires" is a strong word. 3542 declares it as a "may" (lower case).
The only thing required strongly is IPV6_NEXTHOP itself.
I suspect 3542 was written at a time when hbh and dst opt were loosely
defined and the "may" is just a place-holder (i.e., it's not even a MAY)
>
> AFAIK people worried about the parsing overhead and thus decided to
> block it for ordinary users.
That's probably more likely, esp for hbh options. It may also be
interesting to find out what BSD does in these cases.
--Sowmini
next prev parent reply other threads:[~2016-05-21 1:56 UTC|newest]
Thread overview: 24+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-05-20 22:37 IPv6 extension header privileges Tom Herbert
2016-05-21 0:20 ` Hannes Frederic Sowa
2016-05-21 1:56 ` Sowmini Varadhan [this message]
2016-05-21 9:34 ` Hannes Frederic Sowa
2016-05-21 10:02 ` Sowmini Varadhan
2016-05-21 15:19 ` Tom Herbert
2016-05-21 15:33 ` Hannes Frederic Sowa
2016-05-21 16:00 ` Tom Herbert
2016-05-21 16:16 ` Hannes Frederic Sowa
2016-05-21 17:46 ` Sowmini Varadhan
2016-05-22 1:08 ` Hannes Frederic Sowa
2016-05-22 11:56 ` Sowmini Varadhan
2016-05-22 12:13 ` Hannes Frederic Sowa
2016-05-23 18:11 ` Tom Herbert
2016-05-26 18:42 ` Tom Herbert
2016-05-27 9:53 ` Hannes Frederic Sowa
2016-05-27 15:03 ` Sowmini Varadhan
2016-05-27 16:59 ` Tom Herbert
2016-05-27 17:14 ` Hannes Frederic Sowa
2016-05-27 17:38 ` Tom Herbert
2016-05-27 16:46 ` Hannes Frederic Sowa
2016-05-27 17:05 ` Tom Herbert
2016-05-21 16:28 ` Hannes Frederic Sowa
2016-05-27 3:37 ` YOSHIFUJI Hideaki
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20160521015604.GD2452@oracle.com \
--to=sowmini.varadhan@oracle.com \
--cc=hannes@stressinduktion.org \
--cc=netdev@vger.kernel.org \
--cc=tom@herbertland.com \
--cc=yoshfuji@linux-ipv6.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.