Re: Question for IPv6 w.g. on [Re: IPv6 Type 0 Routing Header issues]
Tim Enos <timbeck04@verizon.net> Tue, 08 May 2007 19:01 UTC
Return-path: <ipv6-bounces@ietf.org>
Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1HlUvq-00039R-O8; Tue, 08 May 2007 15:01:06 -0400
Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1HlUvp-00039M-LK for ipv6@ietf.org; Tue, 08 May 2007 15:01:05 -0400
Received: from vms046pub.verizon.net ([206.46.252.46]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1HlUvo-000121-BY for ipv6@ietf.org; Tue, 08 May 2007 15:01:05 -0400
Received: from vms125.mailsrvcs.net ([192.168.1.2]) by vms046.mailsrvcs.net (Sun Java System Messaging Server 6.2-6.01 (built Apr 3 2006)) with ESMTPA id <0JHQ00JBTKT6S06I@vms046.mailsrvcs.net> for ipv6@ietf.org; Tue, 08 May 2007 14:00:43 -0500 (CDT)
Received: from 129.55.200.20 ([129.55.200.20]) by vms125.mailsrvcs.net (Verizon Webmail) with HTTP; Tue, 08 May 2007 14:00:42 -0500 (CDT)
Date: Tue, 08 May 2007 14:00:42 -0500
From: Tim Enos <timbeck04@verizon.net>
X-Originating-IP: [129.55.200.20]
To: Bob Hinden <bob.hinden@nokia.com>, IETF IPv6 Mailing List <ipv6@ietf.org>
Message-id: <30076852.1865571178650842886.JavaMail.root@vms125.mailsrvcs.net>
MIME-version: 1.0
Content-type: text/plain; charset="UTF-8"
Content-transfer-encoding: 7bit
X-Spam-Score: 0.5 (/)
X-Scan-Signature: 3e15cc4fdc61d7bce84032741d11c8e5
Cc:
Subject: Re: Question for IPv6 w.g. on [Re: IPv6 Type 0 Routing Header issues]
X-BeenThere: ipv6@ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "IP Version 6 Working Group \(ipv6\)" <ipv6.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/ipv6>, <mailto:ipv6-request@ietf.org?subject=unsubscribe>
List-Post: <mailto:ipv6@ietf.org>
List-Help: <mailto:ipv6-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/ipv6>, <mailto:ipv6-request@ietf.org?subject=subscribe>
Errors-To: ipv6-bounces@ietf.org
Hi Bob/all, I advocate for option #1. IMO, the paper found by following the link below makes a good case against the use of IPv6 Routing Header Type 0: http://www.secdev.org/conf/IPv6_RH_security-csw07.pdf. The following I-D (perhaps among others) also succinctly delineates the potential security problems with its use: draft-savola-ipv6-rh-ha-security-03.txt. Whether it's the potential to reach a hidden host via a visible one, the ability to use reflection to launch a DoS attack, or other security issues as noted both on this list and the above referenced papers (and others), deprecation of Routing Header Type 0 (aka option #1) is best. The implicit curriculum of #2 and #3 really seems to be that RH0 processing can be enabled. Also, to me it seems that #4 just gives us slightly less of a bad thing. Even workarounds such as ingress filtering with properly configured ACLs could also technically be used by an attacker. I would also prefer that RH0 be silently dropped but could live with an ICMPv6 error message being sent back to the sending host (error messages are rate-limited). Not processing but forwarding RH0 does not seem to make sense. Best Regards, Timothy Enos Rom 8:28 >From: Bob Hinden <bob.hinden@nokia.com> >Date: 2007/04/25 Wed PM 07:39:40 CDT >To: IETF IPv6 Mailing List <ipv6@ietf.org> >Subject: Question for IPv6 w.g. on [Re: IPv6 Type 0 Routing Header issues] >[trimming this to just the IPv6 w.g.] > >We think the question for the IPv6 working group on this topic is >does the working group want to do anything to address the issues >raised about the Type 0 routing header. Possible actions include: > > 1) Deprecate all usage of RH0 > 2) Recommend that RH0 support be off by default in hosts and routers > 3) Recommend that RH0 support be off by default in hosts > 4) Limit it's usage to one RH0 per IPv6 packet and limit the number >of addresses in one RH0. > >These examples are not all mutually exclusive. > >Please respond to the list with your preference and justifications. > >Thanks, >Bob Hinden / Brian Haberman >IPv6 W.G. Chairs > >p.s. We will send a note to the other lists that the IPv6 w.g. will >be discussing this issue. > >-------------------------------------------------------------------- >IETF IPv6 working group mailing list >ipv6@ietf.org >Administrative Requests: https://www1.ietf.org/mailman/listinfo/ipv6 >-------------------------------------------------------------------- -------------------------------------------------------------------- IETF IPv6 working group mailing list ipv6@ietf.org Administrative Requests: https://www1.ietf.org/mailman/listinfo/ipv6 --------------------------------------------------------------------
- Re: Question for IPv6 w.g. on [Re: IPv6 Type 0 Ro… Ebalard, Arnaud
- Re: Question for IPv6 w.g. on [Re: IPv6 Type 0 Ro… Jun-ichiro itojun Hagino
- Re: Question for IPv6 w.g. on [Re: IPv6 Type 0 Ro… Tim Enos
- Re: Question for IPv6 w.g. on [Re: IPv6 Type 0 Ro… Iljitsch van Beijnum