Fernando Gont wrote:
Hi, Masataka,
Hi,
The reality is that wise operators denied deployment of
stupid idea of extension headers including that for IP
reassembly.
Wrong. The worst kind of obscurity is a transport header at
the end of a chain of 1000 or more IPv6 extension headers.
Note that the transport header may not be placed in the
first fragment.
RFC7112 imposes some basic constraints: the entire EH chain must be
present in the first fragment.
Thank you for the information. But, I'm afraid the fix is too late
and too insufficient to change the reality above. That is, my point
on DOS is still valid and, worse, some combination of extension
headers may results in yet unnoticed vulnerability, which is
partially why allowing extension headers is a stupid thing to do.
Moreover, the rfc should also limit header chain length below
256B or so. Though DNS message over UDP over IPv4, with 576B
reassembly buffer, can be 508B (in practice, 548B) long, DNS
message over UDP over IPv6, with 1280B reassembly buffer,
can be less than 100B, if header chain is lengthy.
Worse, though the rfc require an entire upper layer header
included in the first fragment, the requirement is too much.
According to rfc792, the first 8B should be enough. As for
ICMPv6, ICMPv6 should also be required to contain all the
header chain up to the first 8B of an upper layer header.
Masataka Ohta