RE: Question for IPv6 w.g. on [Re: IPv6 Type 0 Routing Headerissues]
Pekka Savola <pekkas@netcore.fi> Mon, 30 April 2007 07:43 UTC
Return-path: <ipv6-bounces@ietf.org>
Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1HiQXl-0007s1-67; Mon, 30 Apr 2007 03:43:33 -0400
Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1HiQXj-0007rm-Q2 for ipv6@ietf.org; Mon, 30 Apr 2007 03:43:31 -0400
Received: from eunet-gw.ipv6.netcore.fi ([2001:670:86:3001::1] helo=netcore.fi) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1HiQXi-00068s-Dv for ipv6@ietf.org; Mon, 30 Apr 2007 03:43:31 -0400
Received: from netcore.fi (localhost [127.0.0.1]) by netcore.fi (8.13.8/8.13.8) with ESMTP id l3U7hPnV013492; Mon, 30 Apr 2007 10:43:25 +0300
Received: from localhost (pekkas@localhost) by netcore.fi (8.13.8/8.13.8/Submit) with ESMTP id l3U7hOsc013489; Mon, 30 Apr 2007 10:43:25 +0300
Date: Mon, 30 Apr 2007 10:43:24 +0300
From: Pekka Savola <pekkas@netcore.fi>
To: Dave Thaler <dthaler@windows.microsoft.com>
In-Reply-To: <271CF87FD652F34DBF877CB0CB5D16FC053929E6@WIN-MSG-21.wingroup.windeploy.ntdev.microsoft.com>
Message-ID: <Pine.LNX.4.64.0704301015180.11725@netcore.fi>
References: <462D4706.4000504@spaghetti.zurich.ibm.com> <462E7AB4.3050807@piuha.net><m2mz0xp6je.wl%gnn@neville-neil.com> <20070425093402.A30586@mignon.ki.iif.hu> <20070425141336.E95D522875@thrintun.hactrn.net> <462F7005.50700@sri.com><CE11116E-DF68-481D-AB30-E592C339CEFB@nokia.com> <46323659.2090406@piuha.net> <271CF87FD652F34DBF877CB0CB5D16FC053929E6@WIN-MSG-21.wingroup.windeploy.ntdev.microsoft.com>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset="US-ASCII"; format="flowed"
X-Virus-Scanned: ClamAV 0.90.2/3179/Sun Apr 29 13:28:45 2007 on otso.netcore.fi
X-Virus-Status: Clean
X-Spam-Status: No, score=-3.3 required=5.0 tests=ALL_TRUSTED, AWL, BAYES_00 autolearn=ham version=3.1.8
X-Spam-Checker-Version: SpamAssassin 3.1.8 (2007-02-13) on otso.netcore.fi
X-Spam-Score: -2.8 (--)
X-Scan-Signature: 00e94c813bef7832af255170dca19e36
Cc: IETF IPv6 Mailing List <ipv6@ietf.org>
Subject: RE: Question for IPv6 w.g. on [Re: IPv6 Type 0 Routing Headerissues]
X-BeenThere: ipv6@ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "IP Version 6 Working Group \(ipv6\)" <ipv6.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/ipv6>, <mailto:ipv6-request@ietf.org?subject=unsubscribe>
List-Post: <mailto:ipv6@ietf.org>
List-Help: <mailto:ipv6-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/ipv6>, <mailto:ipv6-request@ietf.org?subject=subscribe>
Errors-To: ipv6-bounces@ietf.org
Hi, On Fri, 27 Apr 2007, Dave Thaler wrote: > Two scenarios that are much less harmful are > when there is only 1 address in only one RH0: > 1) when the intermediate destination address and the final > destination address are addresses of the same node. > 2) when the final destination address is equal to the > source address. > > In both cases, the intermediate destination isn't being > used as transit between two other nodes. A sample use > case of the second scenario is for a round-trip > traceroute. FWIW, I personally think 2) [turn off by default everywhere] seems like the best choice, but I think 1) [deprecate] would also be OK. I wouldn't mind 4) but I wonder if it's worth the trouble. Some IPv4 perspective: ---------------------- IPv4 specifications (RFC 1812) require source routing to be enabled on routers by default (a MUST). IPv4 hosts MAY process routing headers (RFC 1122) and there are some specifications what should happen. It seems that -- specification-wise -- the same attacks as exist for IPv6 (multiple routing headers, multiple waypoints) are possible with IPv4 as well. IPv4 specifications also require that a host MUST reverse the routing header if they're a final recipient (leading to a symmetric return path). (IPv6 specs allow reversing only if RT header was authenticated) Because attacks would likely be possible using v4 source routing as well -- unless implementation defaults differ significantly here -- we should be able to walk, not run, to a decision. Similarly, a decision should likely affect IPv4 as well. Some operations perspective: ---------------------------- Please remember that using source routing for 'reverse path traceroute' is only possible if networks don't implement ingress/egress filtering. As such, I cannot support the 'reverse path traceroute' usage scenario for source routing, because doing so shouldn't work in the first place in well-operated networks, and could be yet another roadblock to appropriate filtering. The other scenario Dave mentions is AFAICS the one where type 2 routing header was designed for, and could probably be used in that scenario as well, even if MIPv6 was not used. A couple of folks mentioned using routing header for traffic path selection (in the middle of the network). That also interferes with ingress/egress filtering, but not quite as badly. This is probably mostly useful for research purposes and I'm having difficulty seeing a business case for doing this in production. The reason why I'd prefer disabling instead of complete deprecation is that I can imagine use cases where source routing can be a useful diagnostics tool inside one administrative domain, and if we deprecate it, it's gone for good (unless we define a new type, and transition to it would take a long time). On the other hand, given that these usage cases are rather limited, I don't think they're in wide use, and still cause problems for ingress/egress filters, I'm also ok with deprecation. -- Pekka Savola "You each name yourselves king, yet the Netcore Oy kingdom bleeds." Systems. Networks. Security. -- George R.R. Martin: A Clash of Kings -------------------------------------------------------------------- IETF IPv6 working group mailing list ipv6@ietf.org Administrative Requests: https://www1.ietf.org/mailman/listinfo/ipv6 --------------------------------------------------------------------
- IPv6 Type 0 Routing Header issues Jeroen Massar
- Re: IPv6 Type 0 Routing Header issues Jari Arkko
- Re: IPv6 Type 0 Routing Header issues George V. Neville-Neil
- Re: IPv6 Type 0 Routing Header issues Mohacsi Janos
- Re: IPv6 Type 0 Routing Header issues David Malone
- Re: IPv6 Type 0 Routing Header issues Remi Denis-Courmont
- Re: IPv6 Type 0 Routing Header issues Jun-ichiro itojun Hagino
- Re: IPv6 Type 0 Routing Header issues Paul Vixie
- Re: IPv6 Type 0 Routing Header issues Jun-ichiro itojun Hagino
- Re: IPv6 Type 0 Routing Header issues Rob Austein
- Re: IPv6 Type 0 Routing Header issues Tim Enos
- Question for IPv6 w.g. on [Re: IPv6 Type 0 Routin… Bob Hinden
- Re: Question for IPv6 w.g. on [Re: IPv6 Type 0 Ro… Jun-ichiro itojun Hagino 2.0
- Re: Question for IPv6 w.g. on [Re: IPv6 Type 0 Ro… Perry Lorier
- Re: Question for IPv6 w.g. on [Re: IPv6 Type 0 Ro… Brian E Carpenter
- Re: Question for IPv6 w.g. on [Re: IPv6 Type 0 Ro… David Malone
- Re: Question for IPv6 w.g. on [Re: IPv6 Type 0 Ro… David Malone
- Re: IPv6 Type 0 Routing Header issues Ed Jankiewicz
- Re: IPv6 Type 0 Routing Header issues Gert Doering
- Re: IPv6 Type 0 Routing Header issues Gert Doering
- RE: IPv6 Type 0 Routing Header issues Manfredi, Albert E
- RE: IPv6 Type 0 Routing Header issues Tony Hain
- RE: IPv6 Type 0 Routing Header issues Tony Hain
- RE: Question for IPv6 w.g. on [Re: IPv6 Type 0 Ro… Tony Hain
- Re: Question for IPv6 w.g. on [Re: IPv6 Type 0 Ro… james woodyatt
- Re: Question for IPv6 w.g. on [Re: IPv6 Type 0 Ro… james woodyatt
- Re: IPv6 Type 0 Routing Header issues George V. Neville-Neil
- Re: IPv6 Type 0 Routing Header issues Alun Evans
- Re: IPv6 Type 0 Routing Header issues Jeroen Massar
- Re: IPv6 Type 0 Routing Header issues David Malone
- Re: Question for IPv6 w.g. on [Re: IPv6 Type 0 Ro… Jun-ichiro itojun Hagino 2.0
- Re: IPv6 Type 0 Routing Header issues Ebalard, Arnaud
- Re: Question for IPv6 w.g. on [Re: IPv6 Type 0 Ro… Ignatios Souvatzis
- itojun2.0 (RE: IPv6 Type 0 Routing Header issues) Jun-ichiro itojun Hagino 2.0
- Re: itojun2.0 (RE: IPv6 Type 0 Routing Header iss… Jun-ichiro itojun Hagino 2.0
- Re: Question for IPv6 w.g. on [Re: IPv6 Type 0 Ro… Jari Arkko
- RE: IPv6 Type 0 Routing Header issues Manfredi, Albert E
- RE: IPv6 Type 0 Routing Header issues Tony Hain
- RE: Question for IPv6 w.g. on [Re: IPv6 Type 0 Ro… Dave Thaler
- Re: Question for IPv6 w.g. on [Re: IPv6 Type 0 Ro… Tim Hartrick
- Re: Question for IPv6 w.g. on [Re: IPv6 Type 0 Ro… Jun-ichiro itojun Hagino 2.0
- RE: IPv6 Type 0 Routing Header issues Jun-ichiro itojun Hagino 2.0
- Re: Question for IPv6 w.g. on [Re: IPv6 Type 0 Ro… Jun-ichiro itojun Hagino 2.0
- Re: Question for IPv6 w.g. on [Re: IPv6 Type 0 Ro… Theo de Raadt
- Re: Question for IPv6 w.g. on [Re: IPv6 Type 0 Ro… Bob Hinden
- RE: Question for IPv6 w.g. on [Re: IPv6 Type 0 Ro… Pekka Savola
- Re: Question for IPv6 w.g. on [Re: IPv6 Type 0 Ro… Brian E Carpenter
- Re: Question for IPv6 w.g. on [Re: IPv6 Type 0 Ro… Pars Mutaf
- Re: Question for IPv6 w.g. on [Re: IPv6 Type 0 Ro… Theo de Raadt
- RE: Question for IPv6 w.g. on [Re: IPv6 Type 0 Ro… Dave Thaler
- RE: Question for IPv6 w.g. on [Re: IPv6 Type 0 Ro… Jun-ichiro itojun Hagino 2.0
- Re: Question for IPv6 w.g. on [Re: IPv6 Type 0 Ro… Eric Klein
- Re: IPv6 Type 0 Routing Header issues james woodyatt
- Re: Question for IPv6 w.g. on [Re: IPv6 Type 0 Ro… Brian E Carpenter
- Re: Question for IPv6 w.g. on [Re: IPv6 Type 0 Ro… Roger Jorgensen
- Re: Question for IPv6 w.g. on [Re: IPv6 Type 0 Ro… Jeroen Massar
- Re: Question for IPv6 w.g. on [Re: IPv6 Type 0 Ro… Paul Vixie
- Re: Question for IPv6 w.g. on [Re: IPv6 Type 0 Ro… Eric Klein
- Re: IPv6 Type 0 Routing Header issues George V. Neville-Neil
- Re: IPv6 Type 0 Routing Header issues Ebalard, Arnaud
- Re: IPv6 Type 0 Routing Header issues gnn
- Re: IPv6 Type 0 Routing Header issues Mini
- Re: Question for IPv6 w.g. on [Re: IPv6 Type 0 Ro… Jeroen Massar
- Re: Question for IPv6 w.g. on [Re: IPv6 Type 0 Ro… Eric Klein
- Re: Question for IPv6 w.g. on Kenjiro Cho
- Re: itojun2.0 (RE: IPv6 Type 0 Routing Header iss… Jun-ichiro itojun Hagino 2.0
- Re: itojun2.0 (RE: IPv6 Type 0 Routing Header iss… Jun-ichiro itojun Hagino 2.0
- Re: IPv6 Type 0 Routing Header issues David Malone
- Re: IPv6 Type 0 Routing Header issues Jun-ichiro itojun Hagino 2.0