[ipv6hackers] Fwd: Some stats on IPv6 fragments and EH filtering on the Internet
Fernando Gont
fgont at si6networks.com
Thu Nov 7 11:39:17 CET 2013
Hi, Enno,
On 11/06/2013 06:39 AM, Enno Rey wrote:
>
> I'd like to take this (statement) as a starting point to another
> discussion. Both of you (Fernando and Eric) seem to imply that
> filtering packets with EHs and/or fragmentation is actually a bad
> thing.
mm... I don't. I'm kind of skeptical on this topic, so to speak. On one
hand, I look at the stats, and think "Oh, looks like it wouldn't be
possible to do anything useful with EHs". On the other hand, witha
security hat on, it's kind of obvious that people filter extension
headers (at least the non-FH ones).
> Wearing my "IPv6 enthusiast" (and "net citizen") hat I can
> support that stance. Wearing my "[IPv6] security practitioner" hat I
> explicitly can _not_.
Kind of what I described above. :-)
> As of late 2013 I personally can't really see much use/need for
> fragmented IPv6 traffic at all.
DNS?
> As for the "a3" type I'd be very happy to learn about any IPv6
> service or application generating or relying on such packets. Sure, I
> know the "in the future there might be IPv6 services we don't know of
> yet, that's what we built IPv6 for"line of reasoning. Given the
> apparent reality out there (expressed in the numbers of Fernando's
> presentation and Tim's [student's] work) it might just not be a very
> smart idea to come up with a future service/application of that type
> ;-)
Yep... The data we have contributed essentially indicates that if you're
thinking about producing extensions, you should have at least a backup plan.
Cheers,
--
Fernando Gont
SI6 Networks
e-mail: fgont at si6networks.com
PGP Fingerprint: 6666 31C6 D484 63B2 8FB1 E3C4 AE25 0D55 1D4E 7492
More information about the Ipv6hackers
mailing list