On 02/09/2015 08:32 PM, Ted Lemon wrote: [....] > // tail call to check presumed RFC 6564 header. > // if it's actually an unknown protocol header, we may > // have to parse over some garbage before running off > // the end of the packet and returning false. > // It may also be deliberate garbage, in which case the > // same thing will happen, but possibly more slowly.
You're essentially proposing a hack to fix a known protocol design flaw, instead of accepting the flaw, and allow DHCPv6-shield to comply with the existing specifications/requirements (RFC7045). -- all this under the assumption that RFC6564 gets deployed. In which case you're essentially declaring "game over" for any new transport protocol. I'll just reference this: <http://www.ietf.org/mail-archive/web/opsec/current/msg01834.html>. And note that you're arguing against 6man's advice in RFC7045. Thanks, -- Fernando Gont SI6 Networks e-mail: [email protected] PGP Fingerprint: 6666 31C6 D484 63B2 8FB1 E3C4 AE25 0D55 1D4E 7492 _______________________________________________ OPSEC mailing list [email protected] https://www.ietf.org/mailman/listinfo/opsec
