[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: ICMP message for ingress filtering

To: Iljitsch van Beijnum <iljitsch@muada.com>
Subject: Re: ICMP message for ingress filtering
From: Bob Hinden <bob.hinden@nokia.com>
Date: Mon, 7 Jan 2008 13:08:26 -0800
Cc: shim6-wg <shim6@psg.com>
In-reply-to: <1E19A763-72A5-46E5-A8C8-A651A6149623@muada.com>
References: <1E19A763-72A5-46E5-A8C8-A651A6149623@muada.com>
Reply-to: bob.hinden@nokia.com

Iljitsch,

Hi shimmers,
After a discussion about performing proxy shim operation and theacceptability of NAT for that, it occurs to me that we neveractually solved the ingress filtering issue.
When a host connects to ISPs A and B and then sends a packet with asource address from ISP A's address range out to ISP B, it's likelythat ISP B will drop the packet because it has an "invalid" sourceaddress. Solving this in the general case is non-trivial, but Ithink it should be possible to get us most of the way there with afairly simple mechanism: a new "source address prohibited" ICMPmessage. Just like when a host receives a "destination unreachable"message it tries a different destination address, receiving a"source address prohibited" message would make the host try adifferent source address.

In the last update to ICMPv6 RFC4443, we added a Code to theDestination Unreachable ICMP error message:

        5 - Source address failed ingress/egress policy

If the reason for the failure to deliver is that the packet withthis

   source address is not allowed due to ingress or egress filtering
   policies, the Code field is set to 5.

A code for Reject Routes was also added.

The intent was to solve the problem as you described. It, of course,doesn't help with ICMP(v4).

Bob

Since this isn't a shim6- or even IPv6-specific issue (IPv4 hostscan also have multiple addresses, it's just not all that common)this would probably have to happen in the internet area workinggroup but I thought I'd ask for feedback from this wg first.
The reason this came up in regard to shim6 proxying is that if ahost behind such a proxy has ULA addresses or another address typewith similar properties, it would be necessary to perform NAT tocommunicate with legacy IPv6 destinations. If you give the hostbehind the proxy regular PA addresses on the other hand, you arestill largely bound by the limitations of those addresses.Alternatively, we could give a proxied host both ULA-likeidentifier addresses for use towards shim6-capable destinations andregular PA addresses for use towards legacy destinations. RFC 3484address selection should help select the right source address here,but this isn't fool proof. So in case the host selects the wrongtype of address, the proxy could send back a "source addressprohibited" ICMP message and the host would retry with a differentsource address.
It would be good to get this into host IPv6 stacks even if routerswon't support it immediately so that we can make use of this whenwe create shim6 proxies.
An ICMP message like this would also be useful for sites that wouldlike to use ULA addressing for their internal network but regularaddresses for connectivity to the internet.

References:
- ICMP message for ingress filtering
  - From: Iljitsch van Beijnum <iljitsch@muada.com>

Prev by Date: RE: Question about REAP state transition (draft-ietf-shim6-failure-detection-09)
Next by Date: Re: Shim6 Working Group Last call on the Shim6 Document Set
Previous by thread: ICMP message for ingress filtering
Index(es):
- Date
- Thread