Re: A problem with RFC 6465's Uniform Format for Extension Headers

Karsten Thomann <> Fri, 07 February 2014 20:51 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id A04551AD603 for <>; Fri, 7 Feb 2014 12:51:39 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.086
X-Spam-Status: No, score=-2.086 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HELO_EQ_DE=0.35, HTML_MESSAGE=0.001, RP_MATCHES_RCVD=-0.535, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id G_G3ZCWkf98V for <>; Fri, 7 Feb 2014 12:51:36 -0800 (PST)
Received: from ( []) by (Postfix) with ESMTP id DB5811A0459 for <>; Fri, 7 Feb 2014 12:51:35 -0800 (PST)
Received: from linne.localnet ( by linfreserv.linfre (Axigen) with (AES256-SHA encrypted) ESMTPSA id 3135A4; Fri, 7 Feb 2014 21:51:20 +0100
From: Karsten Thomann <>
Subject: Re: A problem with RFC 6465's Uniform Format for Extension Headers
Date: Fri, 07 Feb 2014 21:51:24 +0100
Message-ID: <9041847.E8qsebI4ky@linne>
User-Agent: KMail/4.10.4 (Windows/6.1; KDE/4.10.4; i686; ; )
In-Reply-To: <>
References: <> <> <>
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="nextPart4786983.evWmSXvX4y"
Content-Transfer-Encoding: 7bit
X-AXIGEN-DK-Result: No records
DomainKey-Status: no signature
X-AxigenSpam-Level: 5
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "IPv6 Maintenance Working Group \(6man\)" <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Fri, 07 Feb 2014 20:51:39 -0000

Am Freitag, 7. Februar 2014, 10:21:11 schrieb Fernando Gont:
> Hi, Ole,
> On 02/07/2014 06:05 AM, Ole Troan wrote:
> >> But to keep hearing that e.g. extensions are expected to work
> >> when I'm measuring over 40% of breakage, It seems to boil down to
> >> "you, heretic! don't filter these packets!" on one side and "shut
> >> up! you don't know how to run a network" on another. *That*
> >> doesn't seem to be the more sane approach to this issue.
> > 
> > I think we have to be careful throwing these numbers about without
> > qualifying them.
> > 
> > aren't you in many cases detecting filtering in front of services,
> > where the operator has very good control of how their traffic
> > should look like?
> Probably, I guess -- I'm in the process of finding out where these
> packets are being filtered.
> But widespread filtering of stuff that is supposed to be "ignored if
> unsupported" eventually leads to "It's not usable, because if you try
> to, your packets get dropped".
> If, say, tomorrow you come up with this shiny cool new Dst Opt-based
> extension for clients, then, from starters, you would have to think of
> a back-up plan, because in more than 40% cases your packets would get
> dropped just because of that extension. -- that's where we are right now.
> > you are not saying if you, me and 8 of our other friends decided
> > to use a new L4 protocol we invented between ourselves, those
> > packets would in 40% of cases be filtered by the Internet core?
> I'm certainly not.
> But let's consider this:
> We want IPv6 to be extensible, so we have IPv6 extension headers. And
> we want middle-boxes to be able to find the upper layer header (or
> else the higher the chances our packets will be dropped on the floor).
> The options/scenarios are:
> 1) Pre-RFC6465: If I'm a middle-box and receive a packet, I have no
> way of telling whether it's a protocol that I'm supposed to allow
> (that just happens to have a unsupported EH), or an upper-layer
> protocol that I shouldn't be letting through. So my options:
>       a) Drop those packets -- and now you have widespread deployment of
>          devices at the edge that wouldn't allow new transport
>          protocols or new EHs
>       b) Allow everything -- which I doubt would be the case if e.g. any
>          sort of firewalling is meant to be in place.
> 2) post-RFC6465/now:
> Firstly, I'd like to believe that RFC6465 has not been interpreted as
> "any other Next-Header values you don't explicitly support should
> follow the uniform format". Or else a new transport protocol would
> look (to any device trying to process the entire IPv6 header chain)
> like a malformed EH and get dropped.  -- it might be a dumb
> interpretation.. but that's how many of us interpreted RFC6465 at one
> point or another.
> Secondly, we really need to provide a mechanism for middle-boxes to
> find the upper-layer header. Simple example: Let's say that I have a
> home firewall that is meant to just allow outgoing communication
> instances (for which extension headers are deemed as "fine"). Without
> a way to parsing new EHs (such as in the I-D we posted). Such firewall
> would simply drop new EHs, not because it wants, but rather because it
> has no way of telling what's an extension, and what's a protocol that
> it doesn't want to let through. In that case, we should completely
> forget about our ability to specify new (usable) EHs.
> Thoughts?
> Thanks,


I think the "simple" solution is to provide middle boxes an offset to the upper layer header, if the 
EH is unknown to the box, it can still identify the upperlayer.

With that offset every middlebox can identify the used transport protocol without knowledge of 
any future EH.

I know that it is not that easy and has it's own pros and cons, but I provide it as an idea to solve 
the problem.