ietf
[Top] [All Lists]

Re: Last Call: <draft-ietf-6man-oversized-header-chain-08.txt> (Implications of Oversized IPv6 Header Chains) to Proposed Standard

2013-10-11 03:36:38
On 10/11/2013 04:48 AM, Ray Hunter wrote:

I think the draft does what it can in a pragmatic manner, but might
benefit from some acknowledgement that this security approach of
applying parsing at a single perimeter can never ever catch all variants
of transporting FOO over BAR.

FWIW, my idea of the I-D is that it says "look, if you don't put all
this info into the first fragment, it's extremely likely that your
packets will be dropped". That doesn't mean that a middle-box may want
to look further. But looking further might imply
reassemble-inspect-and-refragment... or even reassemble the TCP stream
(e.g. think about a SSL/TCP-based VPN...)

Cheers,
-- 
Fernando Gont
SI6 Networks
e-mail: fgont(_at_)si6networks(_dot_)com
PGP Fingerprint: 6666 31C6 D484 63B2 8FB1 E3C4 AE25 0D55 1D4E 7492




<Prev in Thread] Current Thread [Next in Thread>