Denial-of-service by extension header chain

IPv6 employs the idea of "extension header chain"
Many extension headers can be attached to a packet

There's no upper limit to the number of extension headers!
Specwise, there's no limitation at all

KAME strategy:
Design function call tree so that there's no kernel stack overflow
Limit number of extension headers acceptable (tunable)
Too many extension headers = an attack attempt

[IPv6, next=routing] [routing, next=TCP] [TCP] [TCP payload]