On Feb 9, 2015, at 11:11 AM, C. M. Heard <[email protected]> wrote: > As I argue in > http://www.ietf.org/mail-archive/web/opsec/current/msg01817.html, > the switch opens itself up to DOS attacks if it assumes that any > unknown header in the chain conforms to RFC 6564 and attempts to > continue parsing the header chain.
Yes, you made this argument. But how does this constitute a DoS attack? You have a 1500 byte packet, and you have some kind of fast-path hardware that's trying to parse the packet. At some point it will either succeed or fail. Most such hardware doesn't even look very far into the packet--maybe 256 bytes at most. I asked you earlier in this conversation to describe a specific attack, not make general speculations. Can you describe a specific attack here and explain why it is bad? Remember that we are specifically talking about filtering DHCPv6 here, not solving the general problem of eliminating possibly bogus packets at the switching fabric so that hosts don't see them. Remember too that the packet has to actually be _valid_ when it's forwarded to the host: it's not sufficient that it simply make it through the filter. Otherwise the host will not see it as a DHCPv6 packet, and the shield will have succeeded even though it passed the packet. So the packet has to use a valid chain of extension headers that the host can successfully parse, even if they are unknown to the switch. Can you describe an attack that works in the presence of all these requirements? _______________________________________________ OPSEC mailing list [email protected] https://www.ietf.org/mailman/listinfo/opsec
