On 2/8/15 11:01 PM, Ted Lemon wrote:
On Feb 8, 2015, at 11:58 PM, Brian E Carpenter<[email protected]>
wrote:
A middlebox that is trying to flush out a specific type of
upper layer protocol (such as DHCPv6) needs to parse all extension
headers, including ones it doesn't understand, in case there is
an instance of the upper layer protocol behind it.
In the real world, that means that such middleboxes, if they are
of the paranoid security persuasion, will discard packets that,
as far as they are concerned, are unparseable.
Can you explain, in detail, what a DHCPv6 packet would look like that would get
past a filter because either it used unknown extension headers, or an unknown
protocol header?
Better yet, could you give an example packet with a fake new extension
header that a middlebox would think is not a DHCPv6 packet, but in fact is?
pr
--
Pete Resnick<http://www.qualcomm.com/~presnick/>
Qualcomm Technologies, Inc. - +1 (858)651-4478
_______________________________________________
OPSEC mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/opsec
