* Roland Dobbins:
On Jul 14, 2010, at 8:38 PM, Florian Weimer wrote:
There's also the question of IP options (or extension headers). 8-)
I know that some modern hardware-based routers have the ability to either ignore options, or to drop option packets altogether.
There might be contractual reasons not to enable that feature. 8-/ Some vendors can process options in hardware, though.
I believe the same is now true of IPv6 extension-headere, or soon will be. You're absolutely correct that this is a significant possible attack vector, causing the packets in question to be punted, if there isn't a mechanism available to ignore them or to drop said packets.
It's probably not a high-priority issue for vendors until there are network issues (as opposed to potential problems seen in labs), so it's going to take quite a bit of time. Demand for devices with some IP-layer inspection capability that can handle (Fast or Gigabit) Ethernet at line rate, no matter what type of frames come in, is also a pretty recent thing, and I would be surprised if vendors can provide such capabilities across their entire relevant product line (where they advertise line-based forwarding). -- Florian Weimer <fweimer@bfk.de> BFK edv-consulting GmbH http://www.bfk.de/ Kriegsstraße 100 tel: +49-721-96201-1 D-76133 Karlsruhe fax: +49-721-96201-99