Re: Question for IPv6 w.g. on [Re: IPv6 Type 0 Routing Headerissu es]
Jeroen Massar <jeroen@unfix.org> Mon, 30 April 2007 11:23 UTC
Return-path: <ipv6-bounces@ietf.org>
Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1HiTyx-0007Sp-LK; Mon, 30 Apr 2007 07:23:51 -0400
Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1HiTyv-000744-Dg for ipv6@ietf.org; Mon, 30 Apr 2007 07:23:49 -0400
Received: from purgatory.unfix.org ([2001:7b8:20d:0:290:27ff:fe24:c19f]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1HiTys-0000u6-HD for ipv6@ietf.org; Mon, 30 Apr 2007 07:23:49 -0400
Received: from [IPv6:2001:770:100:9e::2] (cl-159.dub-01.ie.sixxs.net [IPv6:2001:770:100:9e::2]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) (Authenticated sender: jeroen) by purgatory.unfix.org (Postfix) with ESMTP id 813C4140C202; Mon, 30 Apr 2007 13:23:44 +0200 (CEST)
Message-ID: <4635D1C2.6010906@spaghetti.zurich.ibm.com>
Date: Mon, 30 Apr 2007 12:23:46 +0100
From: Jeroen Massar <jeroen@unfix.org>
Organization: Unfix
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.10) Gecko/20070221 Thunderbird/1.5.0.10 Mnenhy/0.7.5.666
MIME-Version: 1.0
To: IETF IPv6 Mailing List <ipv6@ietf.org>
References: <0A34B154-A146-4700-A70F-1A5792D1B405@eads.net>
In-Reply-To: <0A34B154-A146-4700-A70F-1A5792D1B405@eads.net>
X-Enigmail-Version: 0.94.3.0
OpenPGP: id=333E7C23
X-Virus-Scanned: ClamAV 0.90.1/3182/Mon Apr 30 10:38:40 2007 on purgatory.unfix.org
X-Virus-Status: Clean
X-Spam-Score: -2.8 (--)
X-Scan-Signature: cd26b070c2577ac175cd3a6d878c6248
Cc: "Ebalard, Arnaud" <Arnaud.Ebalard@eads.net>
Subject: Re: Question for IPv6 w.g. on [Re: IPv6 Type 0 Routing Headerissu es]
X-BeenThere: ipv6@ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "IP Version 6 Working Group \(ipv6\)" <ipv6.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/ipv6>, <mailto:ipv6-request@ietf.org?subject=unsubscribe>
List-Post: <mailto:ipv6@ietf.org>
List-Help: <mailto:ipv6-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/ipv6>, <mailto:ipv6-request@ietf.org?subject=subscribe>
Content-Type: multipart/mixed; boundary="===============0626838108=="
Errors-To: ipv6-bounces@ietf.org
Hi, First off, my take on this is to disable RH0 and deprecate it. This has already been done in all the SixXS PoPs to avoid them and their users to be a source/destination of this problem. Although it would be fun to see the traffic levels go over 0.1% of IPv4 that kind of traffic is not the traffic we want to see I guess :) Also quite a large number of operators are already DROP-ing these options. Which leads to another question: Should one DROP or REJECT (icmp admin prohibited) these packets. Pro's/Con's on this anyone? Ebalard, Arnaud wrote: [..] > For IPv6, since last week, all major stacks are already no more IPv6 > compliant regarding RH0 processing : > > FreeBSD : http://security.freebsd.org/advisories/FreeBSD- > SA-07:03.ipv6.asc > OpenBSD : http://openbsd.org/errata40.html#012_route6 > NetBSD : http://www.nabble.com/heads-up:-IPv6-routing-header-0- > issues-t3643494.html > Linux : http://www.kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.20.9 > > Apple is aware of the issue, but has more latency. > Cisco and Juniper too, but no public statement/decision is available > yet (this is obviously not that simple for them). I've started collecting ways to disable this at: http://www.sixxs.net/faq/connectivity/?faq=filters This also lists Cisco already who made a security announcement quite some days ago, see the following URL which includes workarounds: http://www.cisco.com/warp/public/707/cisco-sa-20070124-IOS-IPv6.shtml Not all platforms are addressed with that of course and most thus require updates, for some though there are no updates yet. From Juniper I only know that they are 'working on it' and that was an unofficial statement from one of their employees. [..] >> On the other hand, given that these usage cases are rather limited, I >> don't think they're in wide use, and still cause problems for >> ingress/egress filters, I'm also ok with deprecation. > > You should also add anycast to the list. Why Anycast? I guess you are not using any Root DNS servers or any content distribution network? :) There are a lot of uses for anycast, which you won't even notice that they are being used. Also Anycast per se is not a special feature of IPv6, it is also used in IPv4. Greets, Jeroen
-------------------------------------------------------------------- IETF IPv6 working group mailing list ipv6@ietf.org Administrative Requests: https://www1.ietf.org/mailman/listinfo/ipv6 --------------------------------------------------------------------
- Re: Question for IPv6 w.g. on [Re: IPv6 Type 0 Ro… Ebalard, Arnaud
- Re: Question for IPv6 w.g. on [Re: IPv6 Type 0 Ro… Jeroen Massar
- Re: Question for IPv6 w.g. on [Re: IPv6 Type 0 Ro… Ebalard, Arnaud