[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: RFC 2893 Question - Ingress Filtering of IPv6-in-IPv4



Follen, Stephen wrote:

On one hand, yes, this would be a packet being filtered,
suggesting that it should be dropped silently;

however, the "filter" here is not something purposely set
up by a system admin - its not a firewall or similar.
The filtering here is happening because of the
incomplete configuration of a tunnel - more like a
broken link, where a DU would be appropriate.

If the decapsulator (and filtering node) B sends the DU as an IPv6/IPv4
encapsulated packet to A who was the encapsulator of the original packet,
it should be OK *provided* the IPv6 dst of the DU (which is the same as
the IPv6 src of the original packet) is one of A's IPv6 addresses. Otherwise,
A might forward the DU onward to some unsuspecting node C, i.e., if the
IPv6 src of the original packet was spoofed.

I'm not sure about the security issues, hopefully
someone more qualified in that area can chime in here...

I think it might be nice for A to learn that B is dropping the packets due
to ingress filtering, but I don't see a way to send a DU that is guaranteed
to stop at A and not be forwarded onward to some unsuspecting node C.
Do you?

Fred
ftemplin@iprg.nokia.com