Hi Ole, > -----Original Message----- > From: Ole Troan [mailto:otroan@xxxxxxxxxxxxx] > Sent: Wednesday, October 16, 2013 8:29 AM > To: Templin, Fred L > Cc: Fernando Gont; Ronald Bonica; Brian E Carpenter; 6man- > chairs@xxxxxxxxxxxxxx; Ray Hunter; 6man Mailing List; ietf@xxxxxxxx > Subject: Re: Last Call: <draft-ietf-6man-oversized-header-chain-08.txt> > (Implications of Oversized IPv6 Header Chains) to Proposed Standard > > Fred, > > > To repeat what has already been said many times (and hopefully for > > just one final time), if the host is permitted to include an MTU- > sized > > header chain and if there is a tunnel on the path that needs to > fragment > > for whatever reason, then that header chain is going to spill into a > > second fragment. Then, middleboxes that wish to examine the entire > > header chain in the first fragment for whatever reason will be unable > > to do so. Consensus or no, those are the facts. > > absolutely. > > the outer IPv6 header is a new datalink for the inner IPv6 header. > there is no architectural difference if that L2 is IPv6, IPv4 or PPP. > take IPv4 or PPP as an example, if PPP provides fragmentation, then > there is no expectation that the PPP or IPv4 layer keeps the payload > IPv6 header chain in one PPP or IPv4 fragment. > > the rules in this document are not recursive. the header chain > terminates as soon as another IPv6 header is encountered. I disagree with the header chain terminating as soon as another IPv6 header is encounter. That defeats defense-in-depth, since outer perimeter middleboxes would be forced to admit packets with unexamined header chains inward to inner perimeter middleboxes. And, if the unexamined header chains contain bad stuff inserted by an attacker, the attack is successful. That requirement is also not observed by common middlebox systems such as Wireshark and tcpdump. Both will blast past encapsulating IPv6 headers through to the header chain inserted by the original host without stopping at the outermost IPv6 header. Thanks - Fred fred.l.templin@xxxxxxxxxx > does that clarification help? > I'm not quite sure if the document is clear enough on this point. > > Best regards, > Ole