Re: [v6ops] Extension Headers / Impact on Security Devices

"Eric Vyncke (evyncke)" <> Thu, 28 May 2015 15:26 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id E0CBE1ACD5F for <>; Thu, 28 May 2015 08:26:11 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -14.511
X-Spam-Status: No, score=-14.511 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id gZTQDvpi64BG for <>; Thu, 28 May 2015 08:26:09 -0700 (PDT)
Received: from ( []) (using TLSv1 with cipher RC4-SHA (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id B86071B2B52 for <>; Thu, 28 May 2015 08:26:07 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple;;; l=2936; q=dns/txt; s=iport; t=1432826767; x=1434036367; h=from:to:cc:subject:date:message-id:references: in-reply-to:content-id:content-transfer-encoding: mime-version; bh=V2opCpsLJv+DpWocsCjN1NiO+B17eiPXyZNt+DdyheA=; b=UgH2Qccrj+LzQpoCrkOwqFwMZqfWsTnhBMpgWQ1ag704WAtXePT7VG9S LHp7F5uuxYCRYDvfxX/a6A05blxfq4OIlhDZDg7XJ35A+DHye6uB6vxAe C34wudsM9pF2oMsqZt45ExixS0XYL5TEm/iSioblVK9yhz6mEJR31bAyt M=;
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-AV: E=Sophos;i="5.13,513,1427760000"; d="scan'208";a="2559043"
Received: from ([]) by with ESMTP; 28 May 2015 15:26:06 +0000
Received: from ( []) by (8.14.5/8.14.5) with ESMTP id t4SFQ6LR029585 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=FAIL); Thu, 28 May 2015 15:26:07 GMT
Received: from ([]) by ([]) with mapi id 14.03.0195.001; Thu, 28 May 2015 10:26:06 -0500
From: "Eric Vyncke (evyncke)" <>
To: Gert Doering <>, Brian E Carpenter <>
Thread-Topic: [v6ops] Extension Headers / Impact on Security Devices
Thread-Index: AQHQjwOUSoUfhjfqOU2VSvc4/QdUh52O8gsqgABXE4CAAAaigIAABSaAgAAHmwCAAHnhgIACNimA
Date: Thu, 28 May 2015 15:26:06 +0000
Message-ID: <>
References: <> <> <> <> <> <> <> <> <> <> <20150527073943.GA54385@Space.Net>
In-Reply-To: <20150527073943.GA54385@Space.Net>
Accept-Language: fr-FR, en-US
Content-Language: en-US
user-agent: Microsoft-MacOutlook/
x-originating-ip: []
Content-Type: text/plain; charset="utf-8"
Content-ID: <>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
Archived-At: <>
Cc: "Mark Townsley \(townsley\)" <>, "" <>, "Stefano Previdi \(sprevidi\)" <>
Subject: Re: [v6ops] Extension Headers / Impact on Security Devices
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: v6ops discussion list <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Thu, 28 May 2015 15:26:12 -0000

Segment Routing Header is currently drafted as another type of routing
header and are drafted to be inserted either by the source or by the
ingress router of a SR-configured domain (then being removed at the exit
of the SR-domain). Destination Option is not useful here as it is
inspected/processed only by the destination while the intent of SR is to
have this information processed by a couple of intermediate routers (which
have a specific configuration as SRH is not enabled by default).

Of course, this causes MTU issues (pretty much like MPLS but at a
different layer) within one domain which is solvable. The performance
issues need to be handled (as Joe wrote). But, as long as the pros/cons
balance is on the pro side, then it is valuable.


On 27/05/15 09:39, "Gert Doering" <> wrote:

>On Wed, May 27, 2015 at 12:23:30PM +1200, Brian E Carpenter wrote:
>> > FWIW, I don't see anything that prohibits adding headers either.
>> "With one exception, extension headers are not examined or processed
>> by any node along a packet's delivery path, until the packet reaches
>> the node (or each of the set of nodes, in the case of multicast)
>> identified in the Destination Address field of the IPv6 header."
>> To me that clearly implies not adding (which is a form of processing).
>So how do the SR folks handle that?  From what I heard, the intended
>deployment really is "inside your administrative domain, SR headers get
>added, processed, and when the packet leaves your domain, they can be
>(optionally) removed again to not upset your neighbours"...
>Gert Doering
>        -- NetMaster
>have you enabled IPv6 on something today...?
>SpaceNet AG                        Vorstand: Sebastian v. Bomhard
>Joseph-Dollinger-Bogen 14          Aufsichtsratsvors.: A.
>D-80807 Muenchen                   HRB: 136055 (AG Muenchen)
>Tel: +49 (0)89/32356-444           USt-IdNr.: DE813185279
>v6ops mailing list