On 2018-11-27 12:18, Benjamin Kaduk wrote:
<snip>
> Perhaps I am confused, but IIUC this document discusses values placed in
> the IPv6 "Next Header" field, some of which are EHs and some of which are
> not. Values not recognized to the processing entity may be EHs or may be
> "next protocol"s, and if the value is not recognized there is no way to
> know which is the case. Ergo, filtering out unknown values that might be
> EHs is also filtering out unknown next-protocols, which seems really bad
> for the future flexibility of the internet.
You are not at all confused. That's one of the reasons we wrote RFC7045.
But for a paranoid firewall, it doesn't matter. The logic is
unrecognized -> drop in either case.
(This is part of the chain of reasoning that led to
draft-carpenter-limited-domains, but that's another story.)
Brian
_______________________________________________
OPSEC mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/opsec
