[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
mech-v2: decapsulation check updates
Hi,
Since the last version of the transmech document, the decapsulation
checks have become much stronger: MUST check the v4 source of the
tunnel, MUST check the v6 source addresses for bogus addresses and
MAY/should use v4/v6 ingress filtering.
Any objections to these changes? Other thoughts?
=========
3.6. Decapsulation
When an IPv6/IPv4 host or a router receives an IPv4 datagram that is
addressed to one of its own IPv4 addresses, and the value of the
protocol field is 41, the packet is potentially part of a tunnel and
needs to be verified to belong to one of the configured tunnel
interfaces (by checking source/destination addresses), reassembled
(if fragmented at the IPv4 level), have the IPv4 header removed and
the resulting IPv6 datagram be submitted to the IPv6 layer code on
the node.
The decapsulator MUST verify that the tunnel source address is
correct before further processing packets, to mitigate the problems
with address spoofing (see section 4). This check also applies to
packets which are delivered to transport protocols on the
decapsulator. This is done by verifying that the source address is
the IPv4 address of the other end of a tunnel configured on the node.
Packets for which the IPv4 source address does not match MUST be
discarded; an ICMP message (whether IPv4 or IPv6) SHOULD NOT be
generated.
A side effect of this address verification is that the node will
silently discard packets with a wrong source address, and packets
which were received by the node but not directly addressed to it
(e.g., broadcast addresses).
In addition, the node MAY perform ingress filtering [RFC2827] on the
IPv4 source address, i.e., check that the packet is arriving from the
interface in the direction of the route towards the tunnel end-point,
similar to a Strict Reverse Path Forwarding (RPF) check [BCP38UPD].
If done, it is RECOMMENDED that this check is disabled by default.
The packets caught by this check SHOULD be silently discarded.
[[ skip paragraphs about MTU and figures..]
After the decapsulation the node MUST silently discard a packet with
an invalid IPv6 source address. The list of invalid source addresses
SHOULD include at least:
- all multicast addresses (FF00::/8)
- the loopback address (::1)
- all the IPv4-compatible IPv6 addresses [RFC3513] (::/96),
excluding the unspecified address for Duplicate Address
Detection (::/128)
- all the IPv4-mapped IPv6 addresses (::ffff:0:0/96)
In addition, the node should perform ingress filtering [RFC2827] on
the IPv6 source address, as on any of its interfaces, e.g.:
- if the tunnel is towards the Internet, check that the site's
IPv6 prefixes are not used as the source addresses, or
- if the tunnel is towards an edge network, check that the source
address belongs to that edge network.