On 12 January 2017 at 21:53, Fernando Gont <fgont@si6networks.com> wrote:
besides, becaude of ipv6 ehs, you're not really guaranteed to receive e.g. the tcp header in the embedded payload (the embedded payload could easily be fixed ipv6 header + ehs).
If the CoPP drops what has not been explicitly allowed, then packets with EH should be dropped. Particularly if you're not allowing 'tcp' but you're allowing 'next-header tcp'. I.e. the real BGP session (that attacker is trying to disrupt) would not have EH, on account that it would not come up if it had. But I agree if you do need and do use EH, things can get really dirty really fast, fundamentally no one implements standard compliant IPv6, if we're insisting that even pathological EH chains should work (which is fair viewpoint, while not one that I share). Maybe embedded flow-label could used to add confidence ICMP message is for packet we've actually sent? Make flow-label hash, a'la syn cookie. Spooffed ICMP message to disrupt existing TCP isn't novel. Coincidentally one service I use stopped working yesterday, but just for me, after short debugging, there was route cache entry on the server for my client ip which needed to be flushed, perhaps ended up there due to rogue ICMP redirect. -- ++ytti