[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: IETF multihoming powder: just add IPv6 and stir
Iljitsch;
> > OTOH, rewriting of source locator is not so useful, though I have
> > no reason to forbid it.
>
> Unless the source address is already a valid address assigned by the
> ISP you're forwarding the packet to (which can't by definition always
> be the case in a locator/identifier scheme),
That's why I overviewed in draft-ohta-e2e-multihoming-03.txt:
However, to enable source address filtering to discard packets with
source addresses not belonging to an ISP, it is useful to enable a
host, not some intelligent intermediate router, select a source
address compatible with an outgoing ISP. For that purpose, intra
domain routing protocols should maintain routing table entries with
not only preference values of an external routes, but also proper
prefixes to be selected for source addresses, if the entries are
chosen by a host.
The solutions should be end to end that complex functionality must
be performed only on hosts.
Hosts needs help from routing protocols.
Traditionally, when only a single address was usually assigned to each
interface and when hosts with multiple interfaces are routers, address
of outgoing interface was the source address.
However, with multiple addresses to an interface, selection of source
address/locator can be performed properly only with the help from
routing protocol, which is a reason why IPv6 is broken in
source address selection.
> you need to rewrite it in
> order to get through ingress filtering and to be able to receive ICMP
> messages.
No. See above.
> Remember that path MTU discovery is pretty much mandatory in
> IPv6 so you need those ICMPs.
No. PMTUD is one, among many, of a useless feature of IPv6.
Worse, implementations are wrong to do it at IP layer, where there
can be no proper value of timeout.
Just send packets not loger than 1280B.
> Ingress filtering is important to keep
> denial of service attacks in check to at least some degree.
Ingress? Do you mean egress?
You can't filter an ICMP packet generated for a packet with forged
source address, because the ICMP packet has valid source and
destination addresses.
Tony> A filter that is looking at a locator is probably a bug.
Maybe or may not be. But, my point is that it is harmless.
Or, do you, may be as a router designer, mind if some intermediate
routers are required to perform egress filtering on source locators?
Note that an alternative proposal is to let routers have complex
packet tracing functionality.
Masataka Ohta