[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: RFC 2893 Question - Ingress Filtering of IPv6-in-IPv4

To: "Follen, Stephen" <sfollen@enterasys.com>
Subject: Re: RFC 2893 Question - Ingress Filtering of IPv6-in-IPv4
From: Fred Templin <ftemplin@iprg.nokia.com>
Date: Thu, 28 Aug 2003 14:34:36 -0700
Cc: v6ops@ops.ietf.org
References: <05829C8A6277594395457B34D6A3A6DD2840B9@MAANDMBX2.ets.enterasys.com>
User-agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.0.2) Gecko/20021120 Netscape/7.01

Are you suggesting perhaps that some additional specification is
needed in 'draft-ietf-v6ops-mech-v2-00.txt'?

Fred
ftemplin@iprg.nokia.com

Follen, Stephen wrote:

A question related to Ingress Filtering of decapsulated [tunneled] IPv6-in-IPv4 packets: Section 3.6 of RFC 2893, IPv6 Transition Mechanisms, indicates that "... a decapsulated packet MUST NOT be forwarded unless the node has been explicitly configured to forward such packets ..." and in section 4.3 "The decapsulating node MUST verify that the tunnel source address is acceptable before forwarding decapsulated packets ..." (the more recent draft-ietf-v6ops-mech-v2-00.txt, Basic IPv6 Transition Mechanisms provides similar guidance in sections 3.6, 3.9 and 4.1) The question is what to do in the case that the packets are filtered / not forwarded: 1. silently drop the packet - simple, but provides no feedback of the "broken link" (see below); 2. send a v4 ICMP, Destination Unreachable (DU) - this seems like a poor approach since (a) the IPv4 [tunnel endpoint] address was reached and (b) a response may never get back to the originating IPv6 host (section 3.4 of RFC 2893 indicates that an encapsulating node MAY generate a v6 ICMP when it gets a v4 ICMP back); 3. send a v6 ICMP DU - this probably won't get back to the originating host either since its unlikely that there's a path back to it (the do not forward decision occurred because the tunnel was not set up); 4. send a ICMPv6 DU encapsulated in IPv4 - there is enough information in the incoming IPv6-in-IPv4 packet to generate this, and it would likely get back to the originating host, but to do so would effectively send a packet via a tunnel which had not been configured. "broken link" - [in the case of legitimate traffic] the filtering which would occur here is not the result of a specifically configured ingress filter, rather, it is the result of not fully configuring the tunnel; a tunnel is effectively a link, so I see the filtering to be similar to a broken link. Any thoughts would be greatly appreciated. - Thank you Steve Follen sfollen@enterasys.com <mailto:sfollen@enterasys.com>

References:
- RFC 2893 Question - Ingress Filtering of IPv6-in-IPv4
  - From: "Follen, Stephen" <sfollen@enterasys.com>

Prev by Date: RE: RFC 2893 Question - Ingress Filtering of IPv6-in-IPv4
Next by Date: Re: RFC 2893-style automatic tunneling
Previous by thread: RE: RFC 2893 Question - Ingress Filtering of IPv6-in-IPv4
Next by thread: Re: RFC 2893 Question - Ingress Filtering of IPv6-in-IPv4
Index(es):
- Date
- Thread