IETF Logo Mail Archive

Re: Question for IPv6 w.g. on

Kenjiro Cho <kjc@iijlab.net> Sat, 05 May 2007 12:48 UTC

Return-path: <ipv6-bounces@ietf.org>
Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1HkJh2-0007rm-UH; Sat, 05 May 2007 08:48:56 -0400
Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1HkJh2-0007rh-5a for ipv6@ietf.org; Sat, 05 May 2007 08:48:56 -0400
Received: from otm-mgo01.iij.ad.jp ([210.138.20.175]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1HkJh0-00058E-5Q for ipv6@ietf.org; Sat, 05 May 2007 08:48:56 -0400
Received: OTM-MO(otm-mgo01) id l45Cmo8W004943; Sat, 5 May 2007 21:48:50 +0900 (JST)
Received: OTM-MIX(otm-mix01) id l45CmoKg086423; Sat, 5 May 2007 21:48:50 +0900 (JST)
Received: from localhost (jc-ssh00.iij.ad.jp [192.168.174.22]) by rsmtp.iij.ad.jp (OTM-MR/rsmtp01) id l45CkxvU017793 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT) for <ipv6@ietf.org>; Sat, 5 May 2007 21:46:59 +0900 (JST)
Date: Sat, 05 May 2007 21:49:10 +0900
Message-Id: <20070505.214910.35874675.kjc@iijlab.net>
To: ipv6@ietf.org
From: Kenjiro Cho <kjc@iijlab.net>
In-Reply-To: <CE11116E-DF68-481D-AB30-E592C339CEFB@nokia.com>
References: <20070425141336.E95D522875@thrintun.hactrn.net> <462F7005.50700@sri.com> <CE11116E-DF68-481D-AB30-E592C339CEFB@nokia.com>
X-Mailer: Mew version 5.2 on Emacs 21.3 / Mule 5.0 (SAKAKI)
Mime-Version: 1.0
Content-Type: Text/Plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
X-Spam-Score: 0.0 (/)
X-Scan-Signature: bb8f917bb6b8da28fc948aeffb74aa17
Subject: Re: Question for IPv6 w.g. on
X-BeenThere: ipv6@ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "IP Version 6 Working Group \(ipv6\)" <ipv6.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/ipv6>, <mailto:ipv6-request@ietf.org?subject=unsubscribe>
List-Post: <mailto:ipv6@ietf.org>
List-Help: <mailto:ipv6-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/ipv6>, <mailto:ipv6-request@ietf.org?subject=subscribe>
Errors-To: ipv6-bounces@ietf.org

I'm sending this on behalf of itojun.
I talked with itojun today over the phone.
He now seems to have understood that his strong language does not help
us move forward.
He has asked me to translate his intension into plain English and post
it to the list on his behalf.
So, I'm trying my best.

>   1) Deprecate all usage of RH0

itojun has been spending his life for IPv6, and took the rthdr0 issue
very seriously.
The language he used was completely inappropriate.  It was partly due
to his mental condition and the effect of the pills, but he was in a
panic mode and thought such language would help to push people.

Anyway, technical points itojun was trying to make are:
 - Please do not underestimate the security risk.  It is very easy to
   exploit this security hole, just to find 2 vulnerable machines.
   A damage could be fatal for the IPv6 deployment if simultaneous
   attacks are well orchestrated.

 - For KAME derived implementations, please apply the 2 patches from
   the KAME tree described at
   http://www.kame.net/newsletter/20070502/index.html
   One is for not processing rthdr0, and the other is for immediately
   dropping packets with more than one routing headers in ip6_input().

 - Please do not leave a sysctl knob for accepting rthdr0.  Its risks
   are too high for very limited benefits.

Hope this helps.

-Kenjiro

--------------------------------------------------------------------
IETF IPv6 working group mailing list
ipv6@ietf.org
Administrative Requests: https://www1.ietf.org/mailman/listinfo/ipv6
--------------------------------------------------------------------

v2.14.0 | Report a Bug | By Email