Vyatta as a BRAS

Dobbins, Roland rdobbins at arbor.net
Wed Jul 14 13:43:34 UTC 2010


On Jul 14, 2010, at 8:38 PM, Florian Weimer wrote:

> There's also the question of IP options (or extension headers). 8-)

I know that some modern hardware-based routers have the ability to either ignore options, or to drop option packets altogether.

I believe the same is now true of IPv6 extension-headere, or soon will be.  You're absolutely correct that this is a significant possible attack vector, causing the packets in question to be punted, if there isn't a mechanism available to ignore them or to drop said packets.

-----------------------------------------------------------------------
Roland Dobbins <rdobbins at arbor.net> // <http://www.arbornetworks.com>

    Injustice is relatively easy to bear; what stings is justice.

                        -- H.L. Mencken







More information about the NANOG mailing list