[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: RFC 2893 Question - Ingress Filtering of IPv6-in-IPv4

To: "Fred Templin" <ftemplin@iprg.nokia.com>
Subject: RE: RFC 2893 Question - Ingress Filtering of IPv6-in-IPv4
From: "Follen, Stephen" <sfollen@enterasys.com>
Date: Tue, 2 Sep 2003 14:46:10 -0400
Cc: <v6ops@ops.ietf.org>

Fred Templin wrote:

>If the decapsulator (and filtering node) B sends the DU as an IPv6/IPv4
encapsulated packet to A
>who was the encapsulator of the original packet, it should be OK
*provided* the IPv6 dst of the DU
>(which is the same as the IPv6 src of the original packet) is one of
A's IPv6 addresses. 
>Otherwise, A might forward the DU onward to some unsuspecting node C,
i.e., if the IPv6 src of the
>original packet was spoofed.

>I think it might be nice for A to learn that B is dropping the packets
due to ingress filtering,
>but I don't see a way to send a DU that is guaranteed to stop at A and
not be forwarded onward to
>some unsuspecting node C. Do you?

You have a point here.
No, I don't see a way to protect "unsuspecting node C".

(If node A were a router encapsulating IPv6 traffic, you would actually
want it
to forward the decapsulated DU back to the originating host [for
legitimate traffic] ).

Perhaps the draft should direct that ingress filtered packets be
silently dropped ?

Prev by Date: Re: RFC 2893 Question - Ingress Filtering of IPv6-in-IPv4
Next by Date: RE: [VRRP] MIB work
Previous by thread: Re: RFC 2893 Question - Ingress Filtering of IPv6-in-IPv4
Next by thread: RE: 3gpp-analysis-04: necessity for protocol translators in sect 2.3 [issue 3]
Index(es):
- Date
- Thread