[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: RFC 2893 Question - Ingress Filtering of IPv6-in-IPv4
On Mon, 6 Oct 2003, Fred Templin wrote:
> Pekka Savola wrote:
[...]
> > 3) "node receives packets through a valid tunnel which fail IPv6 ingress
> >filtering tests"
> >
> > ==> silently discard, I think (if ingress filtering fails, the error
> >won't probably get back anyway)
> >
>
> In case 3) above, send an ICMPv6 DU to the originating source.
>
> It might not get back, but may very well help the situation
> in the decapsulator for the next time around...
Huh? Which node do you refer by decapsulator -- the one sending ICMPv6
DU, or the one receiving it (over the tunnel) and decapsulating it?
If the former, I don't really understand how sending a reply would help.
If the latter, I'm not sure if there is enough of a guarantee to warrant
it because the message would probably never get through. One special case
in which it _might_ help is host<->router tunnels, as you would know that
the host is responsible for sending such illegitimate packets (and not
just anyone at all behind another router).
--
Pekka Savola "You each name yourselves king, yet the
Netcore Oy kingdom bleeds."
Systems. Networks. Security. -- George R.R. Martin: A Clash of Kings