IETF Logo Mail Archive

RE: ICMPv6 echo reply to multicast packet thread

Pekka Savola <pekkas@netcore.fi> Wed, 10 March 2004 06:25 UTC

Received: from optimus.ietf.org (optimus.ietf.org [132.151.1.19]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id BAA22149 for <ipv6-archive@odin.ietf.org>; Wed, 10 Mar 2004 01:25:46 -0500 (EST)
Received: from localhost.localdomain ([127.0.0.1] helo=www1.ietf.org) by optimus.ietf.org with esmtp (Exim 4.20) id 1B0x9X-00018G-TB for ipv6-archive@odin.ietf.org; Wed, 10 Mar 2004 01:25:17 -0500
Received: (from exim@localhost) by www1.ietf.org (8.12.8/8.12.8/Submit) id i2A6PFsP004346 for ipv6-archive@odin.ietf.org; Wed, 10 Mar 2004 01:25:15 -0500
Received: from odin.ietf.org ([132.151.1.176] helo=ietf.org) by optimus.ietf.org with esmtp (Exim 4.20) id 1B0x9X-000181-OV for ipv6-web-archive@optimus.ietf.org; Wed, 10 Mar 2004 01:25:15 -0500
Received: from ietf-mx (ietf-mx.ietf.org [132.151.6.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id BAA22082 for <ipv6-web-archive@ietf.org>; Wed, 10 Mar 2004 01:25:14 -0500 (EST)
Received: from ietf-mx ([132.151.6.1]) by ietf-mx with esmtp (Exim 4.12) id 1B0x9U-0000Oo-00 for ipv6-web-archive@ietf.org; Wed, 10 Mar 2004 01:25:12 -0500
Received: from exim by ietf-mx with spam-scanned (Exim 4.12) id 1B0x8V-0000DC-00 for ipv6-web-archive@ietf.org; Wed, 10 Mar 2004 01:24:12 -0500
Received: from optimus.ietf.org ([132.151.1.19]) by ietf-mx with esmtp (Exim 4.12) id 1B0x7W-00000n-00 for ipv6-web-archive@ietf.org; Wed, 10 Mar 2004 01:23:10 -0500
Received: from localhost.localdomain ([127.0.0.1] helo=www1.ietf.org) by optimus.ietf.org with esmtp (Exim 4.20) id 1B0x7N-0000lr-N2; Wed, 10 Mar 2004 01:23:01 -0500
Received: from odin.ietf.org ([132.151.1.176] helo=ietf.org) by optimus.ietf.org with esmtp (Exim 4.20) id 1B0x6r-0000lH-MU for ipv6@optimus.ietf.org; Wed, 10 Mar 2004 01:22:29 -0500
Received: from ietf-mx (ietf-mx.ietf.org [132.151.6.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id BAA21921 for <ipv6@ietf.org>; Wed, 10 Mar 2004 01:22:28 -0500 (EST)
Received: from ietf-mx ([132.151.6.1]) by ietf-mx with esmtp (Exim 4.12) id 1B0x6o-0007fE-00 for ipv6@ietf.org; Wed, 10 Mar 2004 01:22:26 -0500
Received: from exim by ietf-mx with spam-scanned (Exim 4.12) id 1B0x5o-0007VY-00 for ipv6@ietf.org; Wed, 10 Mar 2004 01:21:24 -0500
Received: from netcore.fi ([193.94.160.1]) by ietf-mx with esmtp (Exim 4.12) id 1B0x5U-0007M0-00 for ipv6@ietf.org; Wed, 10 Mar 2004 01:21:04 -0500
Received: from localhost (pekkas@localhost) by netcore.fi (8.11.6/8.11.6) with ESMTP id i2A6KJh23993; Wed, 10 Mar 2004 08:20:19 +0200
Date: Wed, 10 Mar 2004 08:20:19 +0200
From: Pekka Savola <pekkas@netcore.fi>
To: Jeroen Massar <jeroen@unfix.org>
cc: 'Suresh Krishnan' <suresh.krishnan@ericsson.ca>, 'Jyrki Soini' <jyrki.soini@teliasonera.com>, ipv6@ietf.org
Subject: RE: ICMPv6 echo reply to multicast packet thread
In-Reply-To: <20040310003144.5A3C286F1@purgatory.unfix.org>
Message-ID: <Pine.LNX.4.44.0403100815030.23664-100000@netcore.fi>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset="US-ASCII"
Sender: ipv6-admin@ietf.org
Errors-To: ipv6-admin@ietf.org
X-BeenThere: ipv6@ietf.org
X-Mailman-Version: 2.0.12
Precedence: bulk
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/ipv6>, <mailto:ipv6-request@ietf.org?subject=unsubscribe>
List-Id: IP Version 6 Working Group (ipv6) <ipv6.ietf.org>
List-Post: <mailto:ipv6@ietf.org>
List-Help: <mailto:ipv6-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/ipv6>, <mailto:ipv6-request@ietf.org?subject=subscribe>
X-Spam-Checker-Version: SpamAssassin 2.60 (1.212-2003-09-23-exp) on ietf-mx.ietf.org
X-Spam-Status: No, hits=0.0 required=5.0 tests=AWL autolearn=no version=2.60

On Wed, 10 Mar 2004, Jeroen Massar wrote:
> > On Mon, 8 Mar 2004, Jyrki Soini wrote:
> > >The consequence is that the original Echo Request packet gets 100 000
> > >000 unicast Echo Reply messages back.
> > 
> > I do not see anything wrong with this scenario. If I send an ICMP
> > Echo Request to 100M nodes I MUST expect a Echo reply from 100M
> > nodes. How about if I sent a DATA packet, which requires an ACK,
> > to the group by mistake?
> 
> I guess that Jyrki's thoughts where more along the lines of:
> "What if I send a simple ICMPv6 Echo Request with *your* source address".

Note that when you send to a multicast address, your source address is 
checked to be RPF-wise correct, otherwise it's dropped in the 
multicast forwarding.  So, I don't think spoofing is that feasible a 
scenario in "multicast ping".

If we disallow ICMP Echo Request, what about other services (TCP/UDP) 
that may be listening at the receiver systems?  Those could be 
likewise affected -- TCP SYN/ACK, or a UDP response packet could have 
tremendous effect on the network as well.

Inevitably, we'll seem to be reaching to a conclusion that we cannot 
avoid this at the specification level -- but the solution lies at the 
concerned parties in the form of filtering.

Note that this problem does not (really) exist if SSM is used, and
this is easily prevented if draft-ietf-mboned-embeddedrp-02.txt is
used (which are the only two reasonable options), as you can put in
filters in your RP configuration, preventing anyone (except specific
sources) from sending packets to the members of the group.

-- 
Pekka Savola                 "You each name yourselves king, yet the
Netcore Oy                    kingdom bleeds."
Systems. Networks. Security. -- George R.R. Martin: A Clash of Kings


--------------------------------------------------------------------
IETF IPv6 working group mailing list
ipv6@ietf.org
Administrative Requests: https://www1.ietf.org/mailman/listinfo/ipv6
--------------------------------------------------------------------

v2.23.0 | Report a Bug | By Email