[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: (IPng 5759) Re: [Karen Seo: Thomas Narten -- clarification,etc.]
At 6:54 PM -0700 4/30/98, Theodore Y. Ts'o wrote:
> If this is the case, this simplifies things significantly. This way, if
> there is an unknown extension header before the AH header, the IPSEC
> host (or security gateway) will have already rejected the packet and
> have sent an ICMP packet back at the sender. So we don't need to have
> any words about handling unknown extension headers; they will just be
> rejected. Can someone in the IPNG working group confirm my reading of
> IPV6 spec?
Your reading of the IPv6 spec is correct, except that it doesn't say or imply
anything about the bahavior of security gateways.
Gateways that encapsulate entire IPv6 packets with an AH header will not
examine any extension headers in the packet to be encapsulated, and
therefore will not reject it on the basis of an unrecognized header.
Gateways that insert an AH header into a passing IPv6 packet (architecturally
impure device that I hope no one is seriously advocating) will probably have
to treat an unrecognized header as a potential end-to-end header (e.g.,
an unrecognized transport protocol header), and therefore will insert the
AH header before the unrecognized header and forward it onward, rather than
rejecting it.
> I'm curious --- was it ever the case that the extension header
> processing worked the way I described them in the first paragraph?
No. For the reasons you realized.
> The IPV6 expert whom I talked to was pretty definitive that this was the
> way things worked; I was pretty surprised, since I thought it was incredibly
> ugly and unclean, but I wasn't the IPv6 expert.
Your expert was mistaken (perhaps having once argued in favor of the behavior
described to you, and forgetting that he or she didn't actually win the
argument?).
Steve
Follow-Ups:
References: