Re: [v6ops] Limiting the size of the IPv6 header chain (draft-ietf-6man-oversized-header-chain)
Nick Hilliard <nick@inex.ie> Tue, 11 June 2013 15:45 UTC
Return-Path: <nick@inex.ie>
X-Original-To: v6ops@ietfa.amsl.com
Delivered-To: v6ops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 78CEC21F994A for <v6ops@ietfa.amsl.com>; Tue, 11 Jun 2013 08:45:43 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.449
X-Spam-Level:
X-Spam-Status: No, score=-2.449 tagged_above=-999 required=5 tests=[AWL=0.150, BAYES_00=-2.599]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 19Q7YB0JnYiv for <v6ops@ietfa.amsl.com>; Tue, 11 Jun 2013 08:45:42 -0700 (PDT)
Received: from mail.netability.ie (mail.netability.ie [IPv6:2a03:8900:0:100::5]) by ietfa.amsl.com (Postfix) with ESMTP id 2847521F996C for <v6ops@ietf.org>; Tue, 11 Jun 2013 08:45:40 -0700 (PDT)
X-Envelope-To: <v6ops@ietf.org>
Received: from pancake.netability.ie (pancake.netability.ie [87.198.142.197]) (authenticated bits=0) by mail.netability.ie (8.14.7/8.14.5) with ESMTP id r5BFjTGv030029 (version=TLSv1/SSLv3 cipher=DHE-RSA-CAMELLIA256-SHA bits=256 verify=NO) for <v6ops@ietf.org>; Tue, 11 Jun 2013 16:45:29 +0100 (IST) (envelope-from nick@inex.ie)
Message-ID: <51B74619.5010602@inex.ie>
Date: Tue, 11 Jun 2013 16:45:29 +0100
From: Nick Hilliard <nick@inex.ie>
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.8; rv:17.0) Gecko/20130509 Thunderbird/17.0.6
MIME-Version: 1.0
To: v6ops@ietf.org
References: <51B6876A.9020202@si6networks.com> <CAD6AjGRuSShUNWE=Dy_e+Y3sVAro-nwyvD8wYy11wN=MfsTXDg@mail.gmail.com> <51B69AB8.3080502@gmail.com> <CAD6AjGSf3LQjfiT-hmKdoDTGxjEQeVSRwUvRKehx=BpNASX7Ww@mail.gmail.com> <51B69FDB.1090809@gmail.com> <CAD6AjGRCKjY83-mD2EMh7bnENksE5AC5ecG5O7K_4H_7PyYW7w@mail.gmail.com> <9636419F-A126-4775-A6C9-3864F8C22323@puck.nether.net> <1370955414.21828.YahooMailNeo@web2802.biz.mail.ne1.yahoo.com> <m2y5agn0bm.wl%randy@psg.com>
In-Reply-To: <m2y5agn0bm.wl%randy@psg.com>
X-Enigmail-Version: 1.5.1
X-Company-Info-1: Internet Neutral Exchange Association Limited. Registered in Ireland No. 253804
X-Company-Info-2: Registered Offices: 1-2, Marino Mart, Fairview, Dublin 3
X-Company-Info-3: Internet Neutral Exchange Association Limited is limited by guarantee
X-Company-Info-4: Offices: 4027 Kingswood Road, Citywest, Dublin 24.
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 7bit
Subject: Re: [v6ops] Limiting the size of the IPv6 header chain (draft-ietf-6man-oversized-header-chain)
X-BeenThere: v6ops@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: v6ops discussion list <v6ops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/v6ops>, <mailto:v6ops-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/v6ops>
List-Post: <mailto:v6ops@ietf.org>
List-Help: <mailto:v6ops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/v6ops>, <mailto:v6ops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 11 Jun 2013 15:45:43 -0000
On 11/06/2013 16:17, Randy Bush wrote: >> 2008? RH0? >> Dudes, have we not moved beyond this? > > Jun 10 15:03:54 psg kernel: IPFW2: IPV6 - Unknown Extension Header(64), ext_hd=0 > > welcome to the operational internet I had a look at the ipfw2 code yesterday. In fact it handles extension headers in the kernel code, but I have no idea how you might configure this from userland because it sure as hell ain't documented. Best wishes to anyone who can figure this out. Please document it somewhere if you figure it. EHs are supported on OpenBSD PF, but not on the version that ships with freebsd. The configuration mechanism for this is fine. linux iptables supports EHs, and is as easy to configure from the command line as any other iptables command (that is not a compliment, btw). Cisco ASA also supports extension headers and only allows frag and HBH by default - everything else is dropped. Despite the documentation on the cisco web site, I eventually figured out how to change this behaviour. Apparently, you need to configure up a policy map of type "inspect ipv6", then hook that into whatever service inspection profile you're using for that traffic. In other words, this forces packets with EHs to run through the PIXOS inspection engine which is lulzerrifically slow, and can be used as a simple denial of service mechanism. I didn't look at anything else because this all made me a sad bunny and I had real work to do. Nick
- Re: [v6ops] Limiting the size of the IPv6 header … Gert Doering
- Re: [v6ops] Limiting the size of the IPv6 header … Robert Elz
- Re: [v6ops] Limiting the size of the IPv6 header … Nick Hilliard
- Re: [v6ops] [6MAN] Re: Limiting the size of the I… Warren Kumari
- Re: [v6ops] Limiting the size of the IPv6 header … Joe Touch
- [v6ops] Limiting the size of the IPv6 header chai… Fernando Gont
- Re: [v6ops] Limiting the size of the IPv6 header … cb.list6
- Re: [v6ops] Limiting the size of the IPv6 header … Brian E Carpenter
- Re: [v6ops] Limiting the size of the IPv6 header … cb.list6
- Re: [v6ops] Limiting the size of the IPv6 header … Brian E Carpenter
- Re: [v6ops] Limiting the size of the IPv6 header … cb.list6
- Re: [v6ops] Limiting the size of the IPv6 header … Jared Mauch
- Re: [v6ops] Limiting the size of the IPv6 header … Fernando Gont
- Re: [v6ops] Limiting the size of the IPv6 header … Fernando Gont
- Re: [v6ops] Limiting the size of the IPv6 header … Nalini Elkins
- Re: [v6ops] Limiting the size of the IPv6 header … Randy Bush
- Re: [v6ops] [6MAN] Re: Limiting the size of the I… Warren Kumari
- Re: [v6ops] Limiting the size of the IPv6 header … Nalini Elkins
- Re: [v6ops] Limiting the size of the IPv6 header … Randy Bush
- Re: [v6ops] Limiting the size of the IPv6 header … Nalini Elkins
- Re: [v6ops] [6MAN] Re: Limiting the size of the I… Warren Kumari
- Re: [v6ops] Limiting the size of the IPv6 header … Brian E Carpenter
- Re: [v6ops] Limiting the size of the IPv6 header … Sander Steffann
- Re: [v6ops] Limiting the size of the IPv6 header … Mark Andrews
- Re: [v6ops] Limiting the size of the IPv6 header … Fernando Gont
- Re: [v6ops] Limiting the size of the IPv6 header … Joe Touch
- Re: [v6ops] Limiting the size of the IPv6 header … Fernando Gont
- Re: [v6ops] Limiting the size of the IPv6 header … Joe Touch
- Re: [v6ops] Limiting the size of the IPv6 header … Fernando Gont
- Re: [v6ops] Limiting the size of the IPv6 header … Gert Doering
- Re: [v6ops] Limiting the size of the IPv6 header … Joe Touch
- Re: [v6ops] Limiting the size of the IPv6 header … Fernando Gont
- Re: [v6ops] Limiting the size of the IPv6 header … Gert Doering
- Re: [v6ops] Limiting the size of the IPv6 header … Brian E Carpenter
- Re: [v6ops] Limiting the size of the IPv6 header … Joe Touch
- Re: [v6ops] Limiting the size of the IPv6 header … Fernando Gont
- Re: [v6ops] Limiting the size of the IPv6 header … Ole Troan
- Re: [v6ops] Limiting the size of the IPv6 header … Joe Touch
- Re: [v6ops] Limiting the size of the IPv6 header … Ole Troan
- Re: [v6ops] Limiting the size of the IPv6 header … Jeroen Massar
- Re: [v6ops] Limiting the size of the IPv6 header … Fernando Gont
- Re: [v6ops] Limiting the size of the IPv6 header … Ole Troan
- [v6ops] Discussion about header chains (was Re: L… Fernando Gont
- Re: [v6ops] Limiting the size of the IPv6 header … Joe Touch
- Re: [v6ops] Limiting the size of the IPv6 header … Joe Touch
- Re: [v6ops] Limiting the size of the IPv6 header … sthaug
- Re: [v6ops] Limiting the size of the IPv6 header … Joe Touch
- Re: [v6ops] Limiting the size of the IPv6 header … Fernando Gont
- Re: [v6ops] Limiting the size of the IPv6 header … Ole Troan
- Re: [v6ops] Limiting the size of the IPv6 header … Fernando Gont
- Re: [v6ops] Limiting the size of the IPv6 header … Fernando Gont
- Re: [v6ops] Limiting the size of the IPv6 header … Ray Hunter
- Re: [v6ops] [6MAN] Re: Limiting the size of the I… Warren Kumari
- Re: [v6ops] Limiting the size of the IPv6 header … Joe Touch
- Re: [v6ops] Limiting the size of the IPv6 header … Fernando Gont
- Re: [v6ops] [6MAN] Re: Limiting the size of the I… Joe Touch
- Re: [v6ops] [6MAN] Re: Limiting the size of the I… Fernando Gont
- Re: [v6ops] [6MAN] Re: Limiting the size of the I… Mark Andrews
- Re: [v6ops] Limiting the size of the IPv6 header … Arturo Servin
- Re: [v6ops] Limiting the size of the IPv6 header … Brian E Carpenter
- Re: [v6ops] Discussion about header chains (was R… Jeroen Massar
- Re: [v6ops] Limiting the size of the IPv6 header … Randy Bush
- Re: [v6ops] [Int-area] Limiting the size of the I… cb.list6
- Re: [v6ops] Discussion about header chains (was R… Joe Touch
- Re: [v6ops] Discussion about header chains (was R… Jeroen Massar
- Re: [v6ops] Discussion about header chains (was R… Joe Touch
- Re: [v6ops] Discussion about header chains (was R… Jeroen Massar
- Re: [v6ops] Limiting the size of the IPv6 header … Ray Hunter
- Re: [v6ops] Limiting the size of the IPv6 header … Tom Taylor
- Re: [v6ops] Limiting the size of the IPv6 header … Ray Hunter
- Re: [v6ops] Limiting the size of the IPv6 header … Tom Taylor
- Re: [v6ops] Limiting the size of the IPv6 header … Ray Hunter
- Re: [v6ops] Limiting the size of the IPv6 header … Brian E Carpenter
- Re: [v6ops] Limiting the size of the IPv6 header … Brian E Carpenter
- Re: [v6ops] Limiting the size of the IPv6 headerc… Tony Hain
- Re: [v6ops] Limiting the size of the IPv6 headerc… Lorenzo Colitti
- Re: [v6ops] Limiting the size of the IPv6 headerc… Bill Jouris