Re: [v6ops] Extension Headers / Impact on Security Devices

Brian E Carpenter <> Wed, 27 May 2015 20:29 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id 4C58A1A8A67 for <>; Wed, 27 May 2015 13:29:37 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id Z53aIZN6rByL for <>; Wed, 27 May 2015 13:29:36 -0700 (PDT)
Received: from ( [IPv6:2607:f8b0:400e:c02::22a]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id EC3B41A005B for <>; Wed, 27 May 2015 13:29:35 -0700 (PDT)
Received: by pdbqa5 with SMTP id qa5so24954445pdb.0 for <>; Wed, 27 May 2015 13:29:35 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20120113; h=message-id:date:from:organization:user-agent:mime-version:to:cc :subject:references:in-reply-to:content-type :content-transfer-encoding; bh=zFTtECNn6x/cw97aHMKNqrB7/6K/qlp1ffTxCJKABvQ=; b=kX5qIx6h92fqxmIt8r4iBvoahn7xfMhvgAD0rQTyDPTQuX9GUAjyD6hCTzUwpe2O5v bUoGZ5enRGsALSMykBj5Bhr11nXgxJYkW2/voUZruaotKeLGhdFD2kZRteMe/5tc5Cv4 edz6ViuFs3wZge7PXmpwBP7QxgwOPdBLNy2lstzLyvjf1j6kK8O8mNTyTvVGwFjf3bpn uOplgecKREX2hX/gfbF1LTFGy9qw5UK2uLlRI4tghkmYMXFvCpIddN4kgddGpVWHulHy nOj5sVRqaPy/t2sy4NvZsD2Hetl2zx9GCOpR5VZ1ua0sOC0LQVcRM5IF8WqUEVB3Ekhc 5Y6Q==
X-Received: by with SMTP id pe8mr54318184pbb.133.1432758575534; Wed, 27 May 2015 13:29:35 -0700 (PDT)
Received: from ?IPv6:2406:e007:4eff:1:28cc:dc4c:9703:6781? ([2406:e007:4eff:1:28cc:dc4c:9703:6781]) by with ESMTPSA id ph4sm41420pdb.43.2015. (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Wed, 27 May 2015 13:29:34 -0700 (PDT)
Message-ID: <>
Date: Thu, 28 May 2015 08:29:37 +1200
From: Brian E Carpenter <>
Organization: University of Auckland
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:31.0) Gecko/20100101 Thunderbird/31.7.0
MIME-Version: 1.0
To: Joe Touch <>, Gert Doering <>
References: <> <> <> <> <> <> <> <> <> <> <20150527073943.GA54385@Space.Net> <>
In-Reply-To: <>
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 7bit
Archived-At: <>
Subject: Re: [v6ops] Extension Headers / Impact on Security Devices
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: v6ops discussion list <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Wed, 27 May 2015 20:29:37 -0000

On 28/05/2015 05:24, Joe Touch wrote:
> On 5/27/2015 12:39 AM, Gert Doering wrote:
>> Hi,
>> On Wed, May 27, 2015 at 12:23:30PM +1200, Brian E Carpenter wrote:
>>>> FWIW, I don't see anything that prohibits adding headers either.
>>> "With one exception, extension headers are not examined or processed
>>> by any node along a packet's delivery path, until the packet reaches
>>> the node (or each of the set of nodes, in the case of multicast)
>>> identified in the Destination Address field of the IPv6 header."
>>> To me that clearly implies not adding (which is a form of processing).
>> So how do the SR folks handle that?  From what I heard, the intended
>> deployment really is "inside your administrative domain, SR headers get
>> added, processed, and when the packet leaves your domain, they can be
>> (optionally) removed again to not upset your neighbours"...
> AFAICT, SR headers are destination options, and aren't supposed to be
> modified by anything but the endpoints (where each addressed hop in such
> a route is such an endpoint).
> So I would think that they MUST NOT be added to IPv6 datagrams except by
> the source.

I agree, but I think the SR people prefer to think otherwise, which just
stacks up MTU problems for the future. We know that features designed
for "local" use have a tendency to be deployed much more widely than
their designers intended.


> In many of the cases we're discussing, the nodes inside an AD act "on
> behalf" of a source or sink, and that's the logic by which they are
> allowed such modification. HOWEVER, whenever you act on behalf of a
> source or sink, you ARE effectively a source or sink and thus beholden
> to the source/sink requirements, not merely router requirements.
> I.e., if you want the performance of a router, act like a router and
> nothing more. If you want to act like a host, you need will have the
> performance of a host.
> Joe