[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: draft-ietf-multi6-multihoming-requirements-06.txt
On 19 Jun 2003, Cedric de Launois wrote:
> > > Also, what about the interaction between (srcaddr,dstaddr) selection &
> > > anti-spoofing-type filtering? The routers do the filtering, but the host
> > > does the address selection. How does that work? I don't want to have more
> > > spoofed attacks with IPv6 than we have now with IPv4.
> >
> > At the moment, there is no interaction. The routers have to allow both.
> > But that's one field that in particular should be worked at.
>
> There IS interaction between src address selection and
> anti-spoofing-type filtering, at least in the multiaddressing solution.
> Suppose a site has 2 providers : ISPA and ISPB. Each provider delegates
> one prefix (PA and PB) to the hosts. When sending a packet, if a hosts
> choose PA as src address, then the packet must be routed through ISPA,
> not through ISPB, to avoid anti-spoofing-type filtering.
Yes, this is the interaction there *should* be, but currently isn't :-)
> A general principle would be :
>
> IF a host receives prefix PA in a router advertisement coming from
> router RA THEN choose src address PA if the host sends a packet with
> RA as the first hop toward the destination (i.e. the packet is sent
> through ISPA).
>
> I would insert this rule just after the 7th rule in RFC3484.
This doesn't help in the most typical case, where there is a single router
advertising both prefixes. (It would only help when there are two routers
advertising two different prefixes to the host.)
Basically the simplest fix is using policy-based routing in your site
border routers. Not typically implemented for IPv6, but should be quite
straightforward.
See draft-savola-bcp38-multihoming-update-00.txt for more thoughts on
this.
--
Pekka Savola "You each name yourselves king, yet the
Netcore Oy kingdom bleeds."
Systems. Networks. Security. -- George R.R. Martin: A Clash of Kings