> On 5 Dec 2018, at 19:08, Gert Doering <[email protected]> wrote: > > Hi, > >> On Wed, Dec 05, 2018 at 06:57:28PM +0100, Ole Troan wrote: >> You are creating the ???perceived??? security problem yourself, by requiring >> processing deeper into the packet than is required. >> Just comply with RFC8200. As long as a router is not configured to process >> any HBH options, it can ignore the header. >> You seem to think HBH still means ???punt to software???. If it ever meant >> that. >> >> There???s no need for rate-limiting for not processing HBH obviously. > > I *must* be able to look at the protocol field of packets coming in on > our borders (see detailed description on our rate-limiting rules in > another mail of today). If there are EHs in the way so our routers' > hardware cannot decide if this is a TCP or UDP packet, these packets > go down the drain. > > And I'm fairly sure you understand that operational reality, so I'm not > sure what point you are making. > > (It's not just HBH. EHs are fundamentally incompatible with today's > reality)
My point is that if you are worried about the processing cost for routers of EHs and HBH specifically, then this “security” draft makes that much worse than what’s specified in rfc8200. Cheers Ole > > Gert Doering > -- NetMaster > -- > have you enabled IPv6 on something today...? > > SpaceNet AG Vorstand: Sebastian v. Bomhard, Michael Emmer > Joseph-Dollinger-Bogen 14 Aufsichtsratsvors.: A. Grundner-Culemann > D-80807 Muenchen HRB: 136055 (AG Muenchen) > Tel: +49 (0)89/32356-444 USt-IdNr.: DE813185279 _______________________________________________ OPSEC mailing list [email protected] https://www.ietf.org/mailman/listinfo/opsec
