On 07/15/2014 09:08 PM, Brian E Carpenter wrote: > Thanks Fernando, so to focus on your question: > >> My question is: do we want to do something different with HBH EH than >> what we do with Router Alert in IPv4? > > The problem with both of these great inventions is that a single > box on the path that takes the "drop" option breaks everything, > whereas "ignore" at least provides best effort service and > protects against any specific attack on the middlebox.
As noted, I think this options is a sensible one. That said, let me provide a "heads up" on the current state of affairs with respect to IPv6 EHs: +--------------+-----------------+-----------------+----------------+ | Dataset | DO8 | HBH8 | FH512 | +--------------+-----------------+-----------------+----------------+ | Web | 11.88% | 40.70% | 30.51% | | | (17.60%-20.80%) | (31.43%-40.00%) | (5.08%-6.78%) | +--------------+-----------------+-----------------+----------------+ | Mailservers | 17.07% | 48.86% | 39.17% | | | (6.35%-26.98%) | (40.50%-65.42%) | (2.91%-12.73%) | +--------------+-----------------+-----------------+----------------+ | Namerservers | 15.37% | 43.25% | 38.55% | | | (14.29%-33.46%) | (42.49%-72.07%) | (3.90%-13.96%) | +--------------+-----------------+-----------------+----------------+ (DO8: Dest Options Header of 8 bytes, etc.) The numbers indicate the packet drop rate. The numbers within parenthesis indicate the percentage of cases where such packet drops occur in an AS different from that of the destination system. (i.e., this would suggest "think twice before employing IPv6 EHs.. then don't). > As far as the destination host goes, HbH can't be any more > dangerous than a destination option. As long as intermmediate systems ignore them (as suggested in RFC7045). > I personally don't care much in the IPv4 case, since router > alert seems to be a dead duck anyway. It's possible that's > going to be the case for HbH, but I think we should give it > a chance. That's why I raised the question. That said, the numbers I've provided above would suggest that this other duck is dead already, too. :-( Cheers, -- Fernando Gont SI6 Networks e-mail: [email protected] PGP Fingerprint: 6666 31C6 D484 63B2 8FB1 E3C4 AE25 0D55 1D4E 7492 _______________________________________________ OPSEC mailing list [email protected] https://www.ietf.org/mailman/listinfo/opsec
