[ipv6hackers] RA guard evasion

Felix 'FX' Lindner fx at recurity-labs.com
Fri May 17 03:23:22 CEST 2013


On Wed, 15 May 2013 15:05:31 +0200 Marco Ermini
<marco.ermini at gmail.com> wrote:
> At the level of the switch/router vendor, it implies changing simply
> completely the business strategy. When you start your "IPv6 switch
> project" you have to think e.g. if to use an ASIC or an FPGA, just to
> name some of the many decisions that have to be taken, and
> consequently the skills of the engineers to employ, the supply chain
> etc. - it is not as easy as "giving a secondary speed" option, the
> vendor has to enter a  completely different market segment...

I see what you are getting at. However, I don't see how this changes
the entire business strategy. Unless, of course, that strategy is to
take data from an arbitrary offset in the packet. Routers and switches
are made only with line-speed in mind. But the option to willingly punt
packets (e.g. by ACL) should be there and should result in correct
reassembly. Or not?

> I would think instead much more probable that something that is able
> to do such reassembling is more probable from some firewall/IPS/NGFW
> or SDN vendor. They are much better positioned for that.

Here, I strongly disagree. Reassembly is part of the L3 protocol we all
talk about here, so it's part of the functional requirement for every
device that claims to be handling this. Do you really want a
firewall/IPS/NGFW/SDN just in order to fulfil the basic requirements of
reassembling fragments?

If, however, the consensus is that the mere idea of fragments was wrong,
fix the spec and be done with it. This would also not require

Thanks for sharing your thoughts, I appreciate your point of view.


More information about the Ipv6hackers mailing list