[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: RFC 2893 Question - Ingress Filtering of IPv6-in-IPv4

To: Fred Templin <osprey67@yahoo.com>
Subject: Re: RFC 2893 Question - Ingress Filtering of IPv6-in-IPv4
From: Pekka Savola <pekkas@netcore.fi>
Date: Mon, 20 Oct 2003 09:45:51 +0300 (EEST)
Cc: "Follen, Stephen" <sfollen@enterasys.com>, <v6ops@ops.ietf.org>
In-reply-to: <20031018000723.64248.qmail@web80511.mail.yahoo.com>

Hi,

On Fri, 17 Oct 2003, Fred Templin wrote:
>  1) As to "port unreachable", my thought process is that ip-proto-41 is
>     the "protocol" and the set of all tunnels configured by the node would
>     be the "ports". Using this logic, an unconfigured tunnel would therefore
>     be an "unreachable port". (This does not seem like a showstopper issue
>     to get hung up over, however.)

This seems like one rather reasonable technical interpretation of this
issue. I'm not sure if I agree with it, but I wouldn't have objections if
folks think this is the best way forward.

[...]
>  3) I don't quite agree with the default behavior of silently discard
>     in the case that the tunnel endpoint was correctly configured,
>     but ingress filtering failed. That would be analagous to firewall
>     filtering, and RFC 2463, section 3.1 says that sending an
>     ICMPv6 Destination Unreachable with code 1 (communication
>     with destination administratively prohibited) is a SHOULD. 

Note that sending any messages back from a router or a firewall only makes
sense if there is reasonable guarantee/"hope" that the node really who
sent the triggering will be able to receive the ICMP unreachable message.  
In particular with ingress filtering (based on the source address), this
assumption may not hold.

That is, if the address is spoofed or otherwise wrong, it by definition
does not get back to the *right* source node, and sending a message could
maybe even be considered counter-productive.

On the other hand, if the address is not spoofed, but only comes from a
wrong direction (e.g., consider an ISP ingress filtering a customer that
is connected to two ISPs with two provider-aggregatable prefixes, and the
customer sends a packet using the wrong source address to the wrong ISP),
there *might* be a reason for sending such an unreachable message.

The question then would be whether these two cases can be reasonably 
easily distinguished.

As it is, if we had to put on a requirements language on these, I'd 
probably say "an ICMP message MAY be sent".

-- 
Pekka Savola                 "You each name yourselves king, yet the
Netcore Oy                    kingdom bleeds."
Systems. Networks. Security. -- George R.R. Martin: A Clash of Kings

References:
- Re: RFC 2893 Question - Ingress Filtering of IPv6-in-IPv4
  - From: Fred Templin <osprey67@yahoo.com>

Prev by Date: Re: draft-palet-v6ops-proto41-nat-01.txt
Next by Date: Re: Comments on draft-ietf-v6ops-ent-scenarios-00
Previous by thread: Re: RFC 2893 Question - Ingress Filtering of IPv6-in-IPv4
Next by thread: RE: RFC 2893 Question - Ingress Filtering of IPv6-in-IPv4
Index(es):
- Date
- Thread