Re: RFC 2893 Question - Ingress Filtering of IPv6-in-IPv4

[Fred Templin <ftemplin@iprg.nokia.com>]

Pekka Savola wrote:

> On Mon, 6 Oct 2003, Fred Templin wrote:
>  
>
> > Pekka Savola wrote:
> >    
> [...]
>  
>
> > > 3) "node receives packets through a valid tunnel which fail IPv6 ingress
> > > filtering tests"
> > >
> > > ==> silently discard, I think (if ingress filtering fails, the error 
> > > won't probably get back anyway)
> > >
> > >      
> > In case 3) above, send an ICMPv6 DU to the originating source.
> >
> > It might not get back, but may very well help the situation
> > in the decapsulator for the next time around...
> >    
>
> Huh?  Which node do you refer by decapsulator -- the one sending ICMPv6 
> DU, or the one receiving it (over the tunnel) and decapsulating it?

The former (i.e., the one sending ICMPv6 DU). But, you seem
to be assuming that it would be sent back over the bidirectional
tunnel from which the original packet arrived. I am not.

> If the former, I don't really understand how sending a reply would help.

Well, it could elicit an ICMPv6 Redirect from a router that would
provide information satisfying future ingress filter checks in the
decapsulator, it could provide a traceback mechanism to detect
IPv6 source address spoofing attacks, etc.

Fred
ftemplin@iprg.nokia.com