[ipv6hackers] IPv6 Extension Headers

Fernando Gont fgont at si6networks.com
Fri May 18 19:09:09 CEST 2012

Hi, Daniel,

On 05/18/2012 05:02 AM, daniel.bartram at bt.com wrote:
> Other than dropping the Routing EH to protect against DoS, are there
> any other recommendations that can be followed or rules implemented
> to allow normal operation of IPv6 (MLD etc.) but also ensure that
> infinite EH's are not stitched together to cause a DoS attack on a
> node?

I'd say: enforce a limit on the maximum number of EH that you process
(16 would be more than enough -- you can probably safely use much
smaller values such as 6-8).

What you do when you hit that limit could vary from dropping the
offending packet to simply ignoring any subsequent EHs past the enforced
limit (the latter should probably be preferred).

Fernando Gont
SI6 Networks
e-mail: fgont at si6networks.com
PGP Fingerprint: 6666 31C6 D484 63B2 8FB1 E3C4 AE25 0D55 1D4E 7492

More information about the Ipv6hackers mailing list