[127787] in North American Network Operators' Group
Re: Vyatta as a BRAS
daemon@ATHENA.MIT.EDU (Florian Weimer)
Wed Jul 14 10:00:25 2010
To: "Dobbins\, Roland" <rdobbins@arbor.net>
From: Florian Weimer <fweimer@bfk.de>
Date: Wed, 14 Jul 2010 13:59:39 +0000
In-Reply-To: <3B8F01CE-9F9F-4235-A82C-946B0A5475C3@arbor.net> (Roland
Dobbins's message of "Wed\, 14 Jul 2010 13\:43\:34 +0000")
Cc: NANOG list <nanog@nanog.org>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
* Roland Dobbins:
> On Jul 14, 2010, at 8:38 PM, Florian Weimer wrote:
>
>> There's also the question of IP options (or extension headers). 8-)
>
> I know that some modern hardware-based routers have the ability to
> either ignore options, or to drop option packets altogether.
There might be contractual reasons not to enable that feature. 8-/
Some vendors can process options in hardware, though.
> I believe the same is now true of IPv6 extension-headere, or soon
> will be. You're absolutely correct that this is a significant
> possible attack vector, causing the packets in question to be
> punted, if there isn't a mechanism available to ignore them or to
> drop said packets.
It's probably not a high-priority issue for vendors until there are
network issues (as opposed to potential problems seen in labs), so
it's going to take quite a bit of time. Demand for devices with some
IP-layer inspection capability that can handle (Fast or Gigabit)
Ethernet at line rate, no matter what type of frames come in, is also
a pretty recent thing, and I would be surprised if vendors can provide
such capabilities across their entire relevant product line (where
they advertise line-based forwarding).
--=20
Florian Weimer <fweimer@bfk.de>
BFK edv-consulting GmbH http://www.bfk.de/
Kriegsstra=DFe 100 tel: +49-721-96201-1
D-76133 Karlsruhe fax: +49-721-96201-99
