Re: [v6ops] Extension Headers / Impact on Security Devices

Silvia Hagen <> Thu, 21 May 2015 14:38 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id 5E6641A1BC6 for <>; Thu, 21 May 2015 07:38:56 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -0.701
X-Spam-Status: No, score=-0.701 tagged_above=-999 required=5 tests=[BAYES_20=-0.001, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id zh_nsBhHo5o7 for <>; Thu, 21 May 2015 07:38:54 -0700 (PDT)
Received: from ( []) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 7F3861A1AA8 for <>; Thu, 21 May 2015 07:38:12 -0700 (PDT)
Received: from (localhost []) by localhost (Postfix) with ESMTP id CA673340817; Thu, 21 May 2015 16:38:09 +0200 (CEST)
Received: from localhost (localhost []) by localhost (ACF/10415.1968); Thu, 21 May 2015 16:38:07 +0200 (CEST)
Received: from ( []) (using TLSv1 with cipher AES128-SHA (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS; Thu, 21 May 2015 16:38:07 +0200 (CEST)
Received: from ([]) by hex02 ([]) with mapi id 14.01.0438.000; Thu, 21 May 2015 16:38:07 +0200
From: Silvia Hagen <>
To: "Eric Vyncke (evyncke)" <>, Tim Chown <>, Joe Touch <>
Thread-Topic: [v6ops] Extension Headers / Impact on Security Devices
Thread-Index: AQHQjwOc1Jlz46hQy0yE3Gbhq1u2w52BadSAgAAWQQCAAgsKAIAA30qAgABG/4CAAdb2wA==
Date: Thu, 21 May 2015 14:38:07 +0000
Message-ID: <F1D4404E5E6C614EB9D3083F4D15A7E7C53DA4@hex02>
References: <> <> <> <> <> <EMEW3|c91cdcfda9ced16fe59fdbc4171372c9r4J9EO03tjc||> <>
In-Reply-To: <>
Accept-Language: de-CH, en-US
Content-Language: de-DE
x-originating-ip: [2a02:120b:c3ea:36c0:d4ab:4fca:ffb5:a17f]
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
Archived-At: <>
Cc: "" <>
Subject: Re: [v6ops] Extension Headers / Impact on Security Devices
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: v6ops discussion list <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Thu, 21 May 2015 14:38:56 -0000

So to summarize:

EH such as destination option and fragment is no issue in the Internet and must not be filtered, nor analyzed, simply forwarded in hardware based on the information in the IPv6 header.
And what the administrator does within his administrative domain is up to his choice and the Internet needs not care about it

Is that correct?
If yes, what is the problem?

If that is how it is supposed to work we need to educate people that feel that EHs must be filtered in the Internet.
Now hop-by-hop is obviously diffferent. But is it needed in the Internet? Again, what I do internally, nobody out there cares.


-----Ursprüngliche Nachricht-----
Von: v6ops [] Im Auftrag von Eric Vyncke (evyncke)
Gesendet: Mittwoch, 20. Mai 2015 14:29
An: Tim Chown; Joe Touch
Betreff: Re: [v6ops] Extension Headers / Impact on Security Devices

On 20/05/15 10:14, "Tim Chown" <> wrote:
>The other question is what existing work is being done that relies on 
>the correct (desired) operation of EHs? The two that would spring out 
>would be segment routing and sfc, at least one of which is using the 
>existing Routing Header. If such protocols are constrained to specific 
>administrative domains then their successful operation I would assume 
>is down to specific EH handling in the equipment in that domain, and 
>its capabilities, rather than (undesired) operator filtering somewhere 
>between sender and receiver.

The primary use case of segment routing is indeed within a single administrative domain, so, EH does not cause a problem.

OTOH, this whole discussion is pretty close to having a discussion on whether an ISP should block everything which is neither UDP nor TCP? Or block currently-unallocated TCP/UDP ports? (and I appreciate that there are differences of course).

To Enno's original point: it is fair for a destination domain to handle (permit, drop, log, inspect) incoming (or outgoing BTW) packets based on
layer-4 ports, layer-4 protocols or extension headers. This is their own responsibility


v6ops mailing list