Re: Forwarding Packets With Link Local Destination Addresses

Markku Savela <msa@moth.iki.fi> Fri, 08 January 2021 11:13 UTC

Return-Path: <msa@moth.iki.fi>
X-Original-To: ipv6@ietfa.amsl.com
Delivered-To: ipv6@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 23F743A040B for <ipv6@ietfa.amsl.com>; Fri, 8 Jan 2021 03:13:54 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.16
X-Spam-Level:
X-Spam-Status: No, score=-2.16 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, NICE_REPLY_A=-0.262, SPF_HELO_NONE=0.001, SPF_NONE=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id VAraoevV6jpk for <ipv6@ietfa.amsl.com>; Fri, 8 Jan 2021 03:13:52 -0800 (PST)
Received: from meesny.iki.fi (meesny.iki.fi [IPv6:2001:67c:2b0:1c1::201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3732B3A0407 for <ipv6@ietf.org>; Fri, 8 Jan 2021 03:13:50 -0800 (PST)
Received: from [89.27.80.16] (89-27-80-16.bb.dnainternet.fi [89.27.80.16]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) (Authenticated sender: markku.savela) by meesny.iki.fi (Postfix) with ESMTPSA id E1FE3205F6 for <ipv6@ietf.org>; Fri, 8 Jan 2021 13:13:46 +0200 (EET)
Subject: Re: Forwarding Packets With Link Local Destination Addresses
To: ipv6@ietf.org
References: <DM6PR05MB6348A18046C5DDC7CF2AED76AEAF0@DM6PR05MB6348.namprd05.prod.outlook.com> <fc2600de-308a-7162-db12-d1d906302494@si6networks.com> <CAJE_bqfSkvpT0PfbGxPmJ450+_DWH_66O9h=pbRkn36mB27sBA@mail.gmail.com> <3F8BB900-B77E-473D-8DF2-02FEA3E2BA32@tzi.org>
From: Markku Savela <msa@moth.iki.fi>
Message-ID: <2b6e4c6e-b4ab-a23f-72f8-d91442331622@moth.iki.fi>
Date: Fri, 8 Jan 2021 13:13:46 +0200
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Thunderbird/68.10.0
MIME-Version: 1.0
In-Reply-To: <3F8BB900-B77E-473D-8DF2-02FEA3E2BA32@tzi.org>
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Language: en-GB
Content-Transfer-Encoding: 7bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipv6/DgVrkwJet5j-Me6_CrLB1EAYOGs>
X-BeenThere: ipv6@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "IPv6 Maintenance Working Group \(6man\)" <ipv6.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipv6>, <mailto:ipv6-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipv6/>
List-Post: <mailto:ipv6@ietf.org>
List-Help: <mailto:ipv6-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipv6>, <mailto:ipv6-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 08 Jan 2021 11:13:54 -0000

Uhh,

I think the limitation (don't forward from higher scope to local on 
routing header) should be kept and made extremely strong rule, 
especially if the final address is a link local. No exceptions, ever.

ND is already open to local attacks on local network, but this is 
accepted. But, if random person on internet anywhere can inject ND 
packets via routing header from outside the local network, it would be 
very bad...

regards,
-- Markku Savela