On Feb 9, 2015, at 2:47 PM, Brian E Carpenter <[email protected]> wrote: > Fair enough. But let's just say that DHCPv6 Shield sees a Next Header > value of 253. How does it know where to look for a potential UDP > header with port 546?
Either the next header is an unknown EH conforming to RFC 6564, or else it is a protocol header. If it is a protocol header, then it is an unknown protocol header, and therefore not a UDP header. If it conforms to RFC 6564, then it can be successfully skipped, whether or not it is known. > I simply don't believe that any security product designer will do > anything except give up and discard the packet. Don't we want RFCs > to live in the real world? We want RFCs to recommend the right thing. It is likely true that at present, the implementor of a switch that implements DHCPv6 shield may cut some corners on processing of unknown headers. However, this is not something the IETF should recommend they do, because our recommendations will last longer than the current state of the art. There is no reason to cast the limitations of the current state of the art in stone. _______________________________________________ OPSEC mailing list [email protected] https://www.ietf.org/mailman/listinfo/opsec
