19 Jan
2014
19 Jan
'14
12:05 p.m.
On (2014-01-19 16:11 +0000), Nick Hilliard wrote:
attacks for hardware-forwarded routers, so generally the only sensible option is to drop packets with long EH chains.
I think sensible is to handle HW when possible and punt rate-limited when must. Dropping standard compliant data seems dubious at best. Now should it be standard complaint? http://tools.ietf.org/html/draft-ietf-6man-oversized-header-chain-09 is looking to restrict EH more, I contacted authors, hoping even more limitation than what it currently suggests, they thought 6man would never accept as strict limits as I suggested. My suggestion is that IP + EH (not L4) SHOULD NOT span over 128B and implementation MAY drop frames with larger headers. -- ++ytti