Re: A problem with RFC 6465's Uniform Format for Extension Headers

Fernando Gont <> Fri, 07 February 2014 13:44 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id 7601E1A1EF8 for <>; Fri, 7 Feb 2014 05:44:14 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.403
X-Spam-Status: No, score=-1.403 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FH_RANDOM_SURE=0.499, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id o6Yb9H-alI6W for <>; Fri, 7 Feb 2014 05:44:12 -0800 (PST)
Received: from ( [IPv6:2a00:d10:2000:e::3]) by (Postfix) with ESMTP id 3C4A11A00F5 for <>; Fri, 7 Feb 2014 05:44:11 -0800 (PST)
Received: from [2001:5c0:1000:a::533] by with esmtpsa (TLSv1:DHE-RSA-CAMELLIA256-SHA:256) (Exim 4.82) (envelope-from <>) id 1WBlim-0002Xg-FS; Fri, 07 Feb 2014 14:43:56 +0100
Message-ID: <>
Date: Fri, 07 Feb 2014 10:21:11 -0300
From: Fernando Gont <>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20100101 Thunderbird/24.2.0
MIME-Version: 1.0
To: Ole Troan <>
Subject: Re: A problem with RFC 6465's Uniform Format for Extension Headers
References: <> <> <> <> <> <> <> <> <>
In-Reply-To: <>
X-Enigmail-Version: 1.5.2
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 7bit
Cc: Thomas Narten <>, "" <>, "C. M. Heard" <>, Suresh Krishnan <>, Tim Chown <>
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "IPv6 Maintenance Working Group \(6man\)" <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Fri, 07 Feb 2014 13:44:14 -0000

Hi, Ole,

On 02/07/2014 06:05 AM, Ole Troan wrote:
>> But to keep hearing that e.g. extensions are expected to work
>> when I'm measuring over 40% of breakage, It seems to boil down to
>> "you, heretic! don't filter these packets!" on one side and "shut
>> up! you don't know how to run a network" on another. *That*
>> doesn't seem to be the more sane approach to this issue.
> I think we have to be careful throwing these numbers about without 
> qualifying them.
> aren't you in many cases detecting filtering in front of services, 
> where the operator has very good control of how their traffic
> should look like?

Probably, I guess -- I'm in the process of finding out where these
packets are being filtered.

But widespread filtering of stuff that is supposed to be "ignored if
unsupported" eventually leads to "It's not usable, because if you try
to, your packets get dropped".

If, say, tomorrow you come up with this shiny cool new Dst Opt-based
extension for clients, then, from starters, you would have to think of
a back-up plan, because in more than 40% cases your packets would get
dropped just because of that extension. -- that's where we are right now.

> you are not saying if you, me and 8 of our other friends decided
> to use a new L4 protocol we invented between ourselves, those
> packets would in 40% of cases be filtered by the Internet core?

I'm certainly not.

But let's consider this:

We want IPv6 to be extensible, so we have IPv6 extension headers. And
we want middle-boxes to be able to find the upper layer header (or
else the higher the chances our packets will be dropped on the floor).
The options/scenarios are:

1) Pre-RFC6465: If I'm a middle-box and receive a packet, I have no
way of telling whether it's a protocol that I'm supposed to allow
(that just happens to have a unsupported EH), or an upper-layer
protocol that I shouldn't be letting through. So my options:
      a) Drop those packets -- and now you have widespread deployment of
         devices at the edge that wouldn't allow new transport
         protocols or new EHs

      b) Allow everything -- which I doubt would be the case if e.g. any
         sort of firewalling is meant to be in place.

2) post-RFC6465/now:
Firstly, I'd like to believe that RFC6465 has not been interpreted as
"any other Next-Header values you don't explicitly support should
follow the uniform format". Or else a new transport protocol would
look (to any device trying to process the entire IPv6 header chain)
like a malformed EH and get dropped.  -- it might be a dumb
interpretation.. but that's how many of us interpreted RFC6465 at one
point or another.

Secondly, we really need to provide a mechanism for middle-boxes to
find the upper-layer header. Simple example: Let's say that I have a
home firewall that is meant to just allow outgoing communication
instances (for which extension headers are deemed as "fine"). Without
a way to parsing new EHs (such as in the I-D we posted). Such firewall
would simply drop new EHs, not because it wants, but rather because it
has no way of telling what's an extension, and what's a protocol that
it doesn't want to let through. In that case, we should completely
forget about our ability to specify new (usable) EHs.


Fernando Gont
SI6 Networks
PGP Fingerprint: 6666 31C6 D484 63B2 8FB1 E3C4 AE25 0D55 1D4E 7492