[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: IETF multihoming powder: just add IPv6 and stir

To: Iljitsch van Beijnum <iljitsch@muada.com>
Subject: Re: IETF multihoming powder: just add IPv6 and stir
From: Masataka Ohta <mohta@necom830.hpcl.titech.ac.jp>
Date: Wed, 14 May 2003 15:29:20 +0859 ()
Cc: "J. Noel Chiappa" <jnc@ginger.lcs.mit.edu>, multi6@ops.ietf.org
In-reply-to: <230584F8-8593-11D7-9519-00039388672E@muada.com> from Iljitsch vanBeijnum at "May 14, 2003 00:35:02 am"

Iljitsch;

> > OTOH, rewriting of source locator is not so useful, though I have
> > no reason to forbid it.
> 
> Unless the source address is already a valid address assigned by the 
> ISP you're forwarding the packet to (which can't by definition always 
> be the case in a locator/identifier scheme),

That's why I overviewed in draft-ohta-e2e-multihoming-03.txt:

   However, to enable source address filtering to discard packets with
   source addresses not belonging to an ISP, it is useful to enable a
   host, not some intelligent intermediate router, select a source
   address compatible with an outgoing ISP.  For that purpose, intra
   domain routing protocols should maintain routing table entries with
   not only preference values of an external routes, but also proper
   prefixes to be selected for source addresses, if the entries are
   chosen by a host.

The solutions should be end to end that complex functionality must
be performed only on hosts.

Hosts needs help from routing protocols.

Traditionally, when only a single address was usually assigned to each
interface and when hosts with multiple interfaces are routers, address
of outgoing interface was the source address.

However, with multiple addresses to an interface, selection of source
address/locator can be performed properly only with the help from
routing protocol, which is a reason why IPv6 is broken in
source address selection.

> you need to rewrite it in 
> order to get through ingress filtering and to be able to receive ICMP 
> messages.

No. See above.

> Remember that path MTU discovery is pretty much mandatory in 
> IPv6 so you need those ICMPs.

No. PMTUD is one, among many, of a useless feature of IPv6.

Worse, implementations are wrong to do it at IP layer, where there
can be no proper value of timeout.

Just send packets not loger than 1280B.

> Ingress filtering is important to keep 
> denial of service attacks in check to at least some degree.

Ingress? Do you mean egress?

You can't filter an ICMP packet generated for a packet with forged
source address, because the ICMP packet has valid source and
destination addresses.

Tony> A filter that is looking at a locator is probably a bug.

Maybe or may not be. But, my point is that it is harmless.

Or, do you, may be as a router designer, mind if some intermediate
routers are required to perform egress filtering on source locators?

Note that an alternative proposal is to let routers have complex
packet tracing functionality.

							Masataka Ohta

Follow-Ups:
- Re: IETF multihoming powder: just add IPv6 and stir
  - From: Iljitsch van Beijnum <iljitsch@muada.com>

References:
- Re: IETF multihoming powder: just add IPv6 and stir
  - From: Iljitsch van Beijnum <iljitsch@muada.com>

Prev by Date: taking a break
Next by Date: Re: GSE IDs [Re: IETF multihoming powder: just add IPv6 and stir]
Previous by thread: Re: IETF multihoming powder: just add IPv6 and stir
Next by thread: Re: IETF multihoming powder: just add IPv6 and stir
Index(es):
- Date
- Thread