Re: [v6ops] [ipv6-wg] Extension Headers / Impact on Security Devices

Brian E Carpenter <> Wed, 17 June 2015 21:13 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id 7F7FD1A8756 for <>; Wed, 17 Jun 2015 14:13:36 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id fqR18vDy7e6T for <>; Wed, 17 Jun 2015 14:13:34 -0700 (PDT)
Received: from ( [IPv6:2607:f8b0:400e:c02::231]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id A82541A8729 for <>; Wed, 17 Jun 2015 14:13:34 -0700 (PDT)
Received: by pdbki1 with SMTP id ki1so49302525pdb.1 for <>; Wed, 17 Jun 2015 14:13:34 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20120113; h=message-id:date:from:organization:user-agent:mime-version:to:cc :subject:references:in-reply-to:content-type :content-transfer-encoding; bh=bKOVIUSUVRmLwxCr2AagMum7bcAFcGxWjPZ56eN6j0c=; b=ByYtde5ws64HhPkFkfLqTXPekJ34t9WWsKu7pv0AJq6DDo3nK8DJaXHJb3bQE3+2dF uieUAH11Q6v4SIaWdvUCNr4C//T6BVgDvym3ygnP1mwk5EM2dEbF4yh7PoDHhNgtK5cm ALTQu5tWt6I1QaqMVi0ol1Ind1rKTMof+by8dqYT6f3lb76GoeUqkSHBdXdua9NMvAHN 6cE/P5nEjyPQeOY7uwsgSiTx9dH2lJXBYwG76PEFz1pmQbwJaj0KfN3QS01NAKaWp5CJ Evz43QAcOaW8VhXkp9BxJw+cp//aihXdxBAL0fncJvcB4zF+UGEAyYttJI8yPzCMAzKy IKSg==
X-Received: by with SMTP id kv14mr14471904pab.5.1434575614397; Wed, 17 Jun 2015 14:13:34 -0700 (PDT)
Received: from ?IPv6:2406:e007:64d6:1:28cc:dc4c:9703:6781? ([2406:e007:64d6:1:28cc:dc4c:9703:6781]) by with ESMTPSA id o7sm5706139pdi.16.2015. (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Wed, 17 Jun 2015 14:13:32 -0700 (PDT)
Message-ID: <>
Date: Thu, 18 Jun 2015 09:13:35 +1200
From: Brian E Carpenter <>
Organization: University of Auckland
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:31.0) Gecko/20100101 Thunderbird/31.7.0
MIME-Version: 1.0
To: Enno Rey <>, Jen Linkova <>
References: <> <> <> <> <> <> <>
In-Reply-To: <>
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 7bit
Archived-At: <>
Cc: "" <>, " IPv6" <>
Subject: Re: [v6ops] [ipv6-wg] Extension Headers / Impact on Security Devices
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: v6ops discussion list <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Wed, 17 Jun 2015 21:13:36 -0000

Catching up on a few points in this thread that went crazy
while I was sleeping...

On 18/06/2015 02:00, Enno Rey wrote:

> Yes, we're aware of RFC7112. It's just: no OS we know and no devices we're aware of (feel free to provide pointers) implement RFC 7112 as of today. 

No, it's too new. But I suggest that it gives you license to drop packets
with fragmented header chains, and tell anyone who complains that they
don't conform to the IPv6 standard.

> but many attack tools implement the techniques mentioned above. Which is why quite some operators (in particular, but not only) from enterprise and managed service provider/cloud space drop all EHs except, maybe, AH+ESP.

Whereas dropping *all* EHs breaks the IPv6 standard.

On 18/06/2015 03:11, Ca By wrote:

> For the folks looking for extension header innovation, would you be willing
> to work on IP version X instead of IPv6?  Or perhaps you can use the Class
> E IPv4 space for your innovation?

Now that's a polemic, not an argument. But since you ask: of course not.

> Serious.  IPv6 is not a place for innovation at the Network / Internet
> layer.

EHs as an extension mechanism are *not* innovation. They've been in the design
for 20 years. I'm actually with Fred on this: it's time for the hardware
designers to step up. With RFC 7112, we've told them that the maximum packet
size they need to parse is 1280 (after removing tunneling overhead).