On 10/02/2015 08:52, Ted Lemon wrote:
> On Feb 9, 2015, at 2:47 PM, Brian E Carpenter <[email protected]>
> wrote:
>> Fair enough. But let's just say that DHCPv6 Shield sees a Next Header
>> value of 253. How does it know where to look for a potential UDP
>> header with port 546?
>
> Either the next header is an unknown EH conforming to RFC 6564, or else it is
> a protocol header. If it is a protocol header, then it is an unknown
> protocol header, and therefore not a UDP header. If it conforms to RFC
> 6564, then it can be successfully skipped, whether or not it is known.
OK Ted, then please provide the pseudo-code for making that
determination:
if ???? then #it's an unknown extension header conforming to RFC 6564
else #it's an unknown transport protocol;
Brian
>> I simply don't believe that any security product designer will do
>> anything except give up and discard the packet. Don't we want RFCs
>> to live in the real world?
>
> We want RFCs to recommend the right thing. It is likely true that at
> present, the implementor of a switch that implements DHCPv6 shield may cut
> some corners on processing of unknown headers. However, this is not
> something the IETF should recommend they do, because our recommendations will
> last longer than the current state of the art. There is no reason to cast
> the limitations of the current state of the art in stone.
>
_______________________________________________
OPSEC mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/opsec
