[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
ICMP message for ingress filtering
- To: shim6-wg <shim6@psg.com>
- Subject: ICMP message for ingress filtering
- From: Iljitsch van Beijnum <iljitsch@muada.com>
- Date: Sat, 15 Dec 2007 14:59:00 +0100
Hi shimmers,
After a discussion about performing proxy shim operation and the
acceptability of NAT for that, it occurs to me that we never actually
solved the ingress filtering issue.
When a host connects to ISPs A and B and then sends a packet with a
source address from ISP A's address range out to ISP B, it's likely
that ISP B will drop the packet because it has an "invalid" source
address. Solving this in the general case is non-trivial, but I think
it should be possible to get us most of the way there with a fairly
simple mechanism: a new "source address prohibited" ICMP message. Just
like when a host receives a "destination unreachable" message it tries
a different destination address, receiving a "source address
prohibited" message would make the host try a different source address.
Since this isn't a shim6- or even IPv6-specific issue (IPv4 hosts can
also have multiple addresses, it's just not all that common) this
would probably have to happen in the internet area working group but I
thought I'd ask for feedback from this wg first.
The reason this came up in regard to shim6 proxying is that if a host
behind such a proxy has ULA addresses or another address type with
similar properties, it would be necessary to perform NAT to
communicate with legacy IPv6 destinations. If you give the host behind
the proxy regular PA addresses on the other hand, you are still
largely bound by the limitations of those addresses. Alternatively, we
could give a proxied host both ULA-like identifier addresses for use
towards shim6-capable destinations and regular PA addresses for use
towards legacy destinations. RFC 3484 address selection should help
select the right source address here, but this isn't fool proof. So in
case the host selects the wrong type of address, the proxy could send
back a "source address prohibited" ICMP message and the host would
retry with a different source address.
It would be good to get this into host IPv6 stacks even if routers
won't support it immediately so that we can make use of this when we
create shim6 proxies.
An ICMP message like this would also be useful for sites that would
like to use ULA addressing for their internal network but regular
addresses for connectivity to the internet.