IETF Logo Mail Archive

RE: Question for IPv6 w.g. on [Re: IPv6 Type 0 Routing Header issues]

"Tony Hain" <alh-ietf@tndh.net> Thu, 26 April 2007 22:58 UTC

Return-path: <ipv6-bounces@ietf.org>
Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1HhCvJ-0007dc-EL; Thu, 26 Apr 2007 18:58:49 -0400
Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1HhCvI-0007dU-Ex for ipv6@ietf.org; Thu, 26 Apr 2007 18:58:48 -0400
Received: from static-66-15-163-216.bdsl.verizon.net ([66.15.163.216] helo=tndh.net) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1HhCvH-00025Y-Vn for ipv6@ietf.org; Thu, 26 Apr 2007 18:58:48 -0400
Received: from eagle (127.0.0.1:2669) by tndh.net with [XMail 1.17 (Win32/Ix86) ESMTP Server] id <S2F09EF> for <ipv6@ietf.org> from <alh-ietf@tndh.net>; Thu, 26 Apr 2007 15:58:46 -0700
From: Tony Hain <alh-ietf@tndh.net>
To: 'Brian E Carpenter' <brc@zurich.ibm.com>, 'IETF IPv6 Mailing List' <ipv6@ietf.org>
References: <462D4706.4000504@spaghetti.zurich.ibm.com> <462E7AB4.3050807@piuha.net> <m2mz0xp6je.wl%gnn@neville-neil.com> <20070425093402.A30586@mignon.ki.iif.hu> <20070425141336.E95D522875@thrintun.hactrn.net> <462F7005.50700@sri.com> <CE11116E-DF68-481D-AB30-E592C339CEFB@nokia.com> <46307C0E.9060809@zurich.ibm.com>
In-Reply-To: <46307C0E.9060809@zurich.ibm.com>
Date: Thu, 26 Apr 2007 15:58:37 -0700
Message-ID: <017601c78856$6d2b7cc0$47827640$@net>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
X-Mailer: Microsoft Office Outlook 12.0
Thread-Index: AceH7AuZvGsv1j2WTs60CpVyMXIfeAAaduHg
Content-Language: en-us
X-Spam-Score: 0.1 (/)
X-Scan-Signature: f60d0f7806b0c40781eee6b9cd0b2135
Cc:
Subject: RE: Question for IPv6 w.g. on [Re: IPv6 Type 0 Routing Header issues]
X-BeenThere: ipv6@ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
Reply-To: alh-ietf@tndh.net
List-Id: "IP Version 6 Working Group \(ipv6\)" <ipv6.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/ipv6>, <mailto:ipv6-request@ietf.org?subject=unsubscribe>
List-Post: <mailto:ipv6@ietf.org>
List-Help: <mailto:ipv6-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/ipv6>, <mailto:ipv6-request@ietf.org?subject=subscribe>
Errors-To: ipv6-bounces@ietf.org

I thought we already limited to 1 RH0 per packet, but I will have to go back and take a closer look. 

As I said on V6ops, before you kill this off too quickly, James Woodyatt's proxy redirection is a perfect example of a valid use for Type 0 Routing Headers. He wants the firewall to redirect traffic through a designated point (what this header was designed to do), and the only hammer at his immediate disposal was IPv6/IPv6 nat. What I don't know is if the firewall can insert one that did not exist, because the source wouldn't know about his 'transparent' proxy. 

It is certainly reasonable to have a BCP that says 'these should be filtered at policy boundaries unless there is a good reason to do otherwise', but they are a tool to solve some very specific corner cases. I would say that firewalls should drop these by default, but the rest of the system should recognize them as normal.

Tony

> -----Original Message-----
> From: Brian E Carpenter [mailto:brc@zurich.ibm.com]
> Sent: Thursday, April 26, 2007 3:17 AM
> To: IETF IPv6 Mailing List
> Subject: Re: Question for IPv6 w.g. on [Re: IPv6 Type 0 Routing Header
> issues]
> 
> On 2007-04-26 02:39, Bob Hinden wrote:
> > [trimming this to just the IPv6 w.g.]
> >
> > We think the question for the IPv6 working group on this topic is does
> > the working group want to do anything to address the issues raised
> about
> > the Type 0 routing header.  Possible actions include:
> >
> >  1) Deprecate all usage of RH0
> >  2) Recommend that RH0 support be off by default in hosts and routers
> >  3) Recommend that RH0 support be off by default in hosts
> >  4) Limit it's usage to one RH0 per IPv6 packet and limit the number
> of
> > addresses in one RH0.
> 
> Excuse my ignorance, but have the following three rules ever been
> considered?
> 
> 1. The list of addresses in an RH0 MUST NOT include the packet's source
> address.
> 2. The same address MUST NOT occur more than once in an RH0.
> 3. A node processing an RH0 MUST discard any packet breaking these two
> rules.
> 
> I'd be interested in whether this would eliminate the various attacks.
> 
> (I'm not really advocating this, since it is added complexity for
> a feature that we don't obviously need anyway. But if we don't deprecate
> it, all the other options seem to leave the threats in place.)
> 
>       Brian
> 
> --------------------------------------------------------------------
> IETF IPv6 working group mailing list
> ipv6@ietf.org
> Administrative Requests: https://www1.ietf.org/mailman/listinfo/ipv6
> --------------------------------------------------------------------


--------------------------------------------------------------------
IETF IPv6 working group mailing list
ipv6@ietf.org
Administrative Requests: https://www1.ietf.org/mailman/listinfo/ipv6
--------------------------------------------------------------------

v2.23.0 | Report a Bug | By Email