On 09/02/2015 17:14, Ted Lemon wrote:
> On Feb 8, 2015, at 8:47 PM, C. M. Heard <[email protected]> wrote:
>> Yes, but there is a situation in which it is not possibile to make a
>> positive identification where a given packet is or is not a DHCPv6
>> packet.
>
> Can you carefully describe in detail how this could happen?
Ted, I think we have to say Hi to the elephant in the corner of the
room. There is a fundamental flaw in the IPv6 design, which is that
there is no way, in the general case, to distinguish an unknown
extension header from an unknown upper layer protocol. Now this
doesn't matter too much in a middlebox-free Internet, since (with the
well-specified exception of the hop-by-hop header) nobody ever needs
to make that distinction, since unknowns cause a packet drop at the
destination anyway. Steve Deering told me in Vancouver that this is
just fine, because middleboxes are evil anyway. But that doesn't
wash. A middlebox that is trying to flush out a specific type of
upper layer protocol (such as DHCPv6) needs to parse all extension
headers, including ones it doesn't understand, in case there is
an instance of the upper layer protocol behind it.
In the real world, that means that such middleboxes, if they are
of the paranoid security persuasion, will discard packets that,
as far as they are concerned, are unparseable.
I'm afraid that IETF documents that don't recognise this fact of life
will not be taken seriously.
Brian
_______________________________________________
OPSEC mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/opsec
