IETF Logo Mail Archive

Re: [v6ops] A good example of why we need to careful about ULAs

Owen DeLong <owen@delong.com> Sat, 01 June 2013 04:38 UTC

Return-Path: <owen@delong.com>
X-Original-To: v6ops@ietfa.amsl.com
Delivered-To: v6ops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9ED8A21F8E8F for <v6ops@ietfa.amsl.com>; Fri, 31 May 2013 21:38:37 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.499
X-Spam-Level:
X-Spam-Status: No, score=-2.499 tagged_above=-999 required=5 tests=[AWL=0.100, BAYES_00=-2.599]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Ml9hdS-FjFCX for <v6ops@ietfa.amsl.com>; Fri, 31 May 2013 21:38:36 -0700 (PDT)
Received: from owen.delong.com (owen.delong.com [IPv6:2620:0:930::200:2]) by ietfa.amsl.com (Postfix) with ESMTP id 1DEE821F8E8C for <v6ops@ietf.org>; Fri, 31 May 2013 21:38:35 -0700 (PDT)
Received: from [192.168.6.83] (ip-64-134-24-48.public.wayport.net [64.134.24.48]) (authenticated bits=0) by owen.delong.com (8.14.2/8.14.1) with ESMTP id r514X4N0010836 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=NOT); Fri, 31 May 2013 21:33:09 -0700
X-DKIM: Sendmail DKIM Filter v2.8.3 owen.delong.com r514X4N0010836
DKIM-Signature: v=1; a=rsa-sha1; c=simple/simple; d=delong.com; s=mail; t=1370061191; bh=E/FFYp38Wt+YkUKCDUZloeNp24A=; h=Content-Type:Mime-Version:Subject:From:In-Reply-To:Date:Cc: Content-Transfer-Encoding:Message-Id:References:To; b=QvCp3JcE94oMt/onyJbF3qbZSkXKHXtY0bsBmMLdJxJwie7Jur8KJxW4TMdUxe6vT iLgmCu25fxBIE++9yivtM4c/0tYovyeYgP4SZvBNcTcgbit1JKhSaY7u+8ElOML5Kc AwjIW+uzzjrh8g/Nw5uM2EEzlrx3gdFymhLTLOcY=
Content-Type: text/plain; charset="windows-1252"
Mime-Version: 1.0 (Mac OS X Mail 6.3 \(1503\))
From: Owen DeLong <owen@delong.com>
In-Reply-To: <51A97375.1090402@gmail.com>
Date: Fri, 31 May 2013 21:33:03 -0700
Content-Transfer-Encoding: quoted-printable
Message-Id: <33795D9E-6174-4373-9506-0D62ED9013D0@delong.com>
References: <CAKD1Yr29kf1Me=6JR66Gq0dFYgQx2wq=pjW8WZyHByPA0POsMQ@mail.gmail.com> <1369901467.70362.YahooMailNeo@web142506.mail.bf1.yahoo.com> <51A7C86B.3020808@gmail.com> <BCEC2341-CF91-4184-B14A-FE0BE683F89F@delong.com> <8D23D4052ABE7A4490E77B1A012B6307751BFE04@mbx-01.win.nominum.com> <4CB10EDC-1E2B-4423-AD77-7B6062F80579@delong.com> <51A97375.1090402@gmail.com>
To: Brian E Carpenter <brian.e.carpenter@gmail.com>
X-Mailer: Apple Mail (2.1503)
X-Greylist: Sender succeeded SMTP AUTH, not delayed by milter-greylist-4.0rc1 (owen.delong.com [192.159.10.2]); Fri, 31 May 2013 21:33:11 -0700 (PDT)
Cc: "v6ops@ietf.org WG" <v6ops@ietf.org>, "draft-ietf-v6ops-ula-usage-recommendations@tools.ietf.org" <draft-ietf-v6ops-ula-usage-recommendations@tools.ietf.org>
Subject: Re: [v6ops] A good example of why we need to careful about ULAs
X-BeenThere: v6ops@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: v6ops discussion list <v6ops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/v6ops>, <mailto:v6ops-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/v6ops>
List-Post: <mailto:v6ops@ietf.org>
List-Help: <mailto:v6ops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/v6ops>, <mailto:v6ops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 01 Jun 2013 04:38:37 -0000

On May 31, 2013, at 9:07 PM, Brian E Carpenter <brian.e.carpenter@gmail.com> wrote:

> On 01/06/2013 14:44, Owen DeLong wrote:
>> On May 31, 2013, at 7:21 PM, Ted Lemon <Ted.Lemon@nominum.com> wrote:
>> 
>>> On May 31, 2013, at 10:01 PM, Owen DeLong <owen@delong.com> wrote:
>>>> How is having them leak in attempted TCP connections worse than having them leak in ICMP headers? It's still an invalid header.
>>> The ttl exceeded return packet doesn't expect a return packet of its own, so the fact that there's a "bogus" IP address on the header causes no harm, despite being technically wrong.   Filtering the packet based on the source address, on the other hand, would cause harm.   Nobody ever said life was going to be simple.
>> 
>> The TTL Exceeded packet shouldn't get forwarded by any router as a result of the LL Source address.
>> 
>> Thus it should never reach its destination.
> 
> Agreed. But when it does get through, it does no particular
> harm (you just see a bizarre hop in the traceroute). If it got
> through in a SYN/ACK exchange, it would probably distress a user.
> 

If it gets through, then it is an indication that every router between the one that sourced the packet and the recipient host is broken.

True, the packet itself is "mostly harmless", but…

>> 
>> Thus it will break traceroutes.
>> 
>> Thus it is harmful.
> 
> I'm not defending bad practice; just observing that it doesn't
> cause a disaster in trace route.

And I'm saying that if any of the routers between the LL-packet generating router and the recipient are working correctly, it does, in fact, break traceroute.

Owen

v2.23.0 | Report a Bug | By Email