Hi, On 02/10/2016 04:50 AM, Masataka Ohta wrote: [....] >>> The reality is that wise operators denied deployment of >>> stupid idea of extension headers including that for IP >>> reassembly. > >>> Wrong. The worst kind of obscurity is a transport header at >>> the end of a chain of 1000 or more IPv6 extension headers. >>> >>> Note that the transport header may not be placed in the >>> first fragment. > >> RFC7112 imposes some basic constraints: the entire EH chain must be >> present in the first fragment. > > Thank you for the information. But, I'm afraid the fix is too late > and too insufficient to change the reality above. That is, my point > on DOS is still valid and, worse, some combination of extension > headers may results in yet unnoticed vulnerability, which is > partially why allowing extension headers is a stupid thing to do. > > Moreover, the rfc should also limit header chain length below > 256B or so. I tried that in 6man, but there was opposition to my proposal at the time. > Though DNS message over UDP over IPv4, with 576B > reassembly buffer, can be 508B (in practice, 548B) long, DNS > message over UDP over IPv6, with 1280B reassembly buffer, > can be less than 100B, if header chain is lengthy. Agreed. > Worse, though the rfc require an entire upper layer header > included in the first fragment, the requirement is too much. Not sure what you mean. > According to rfc792, the first 8B should be enough. As for > ICMPv6, ICMPv6 should also be required to contain all the > header chain up to the first 8B of an upper layer header. ... which may not be feasible if a long EH chain is employed in the packet that generated the error message. Thanks, -- Fernando Gont SI6 Networks e-mail: fgont@xxxxxxxxxxxxxxx PGP Fingerprint: 6666 31C6 D484 63B2 8FB1 E3C4 AE25 0D55 1D4E 7492