[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

misconfiguring the tunnel source address [mech-v2-04]

To: Erik Nordmark <Erik.Nordmark@sun.com>
Subject: misconfiguring the tunnel source address [mech-v2-04]
From: Pekka Savola <pekkas@netcore.fi>
Date: Fri, 20 Aug 2004 12:40:22 +0300 (EEST)
Cc: Alex Conta <aconta@txc.com>, <v6ops@ops.ietf.org>
In-reply-to: <Roam.SIMC.2.0.6.1092993774.16517.nordmark@bebop.france>

On Fri, 20 Aug 2004, Erik Nordmark wrote:
> >             Source Address:
> >                  IPv4 address of outgoing interface of the encapsulator
> >                  or an administratively specified address as described
> >                  below.
[...]
> 
> I think it makes sense to do this minor clarification since the current
> text can be read as the protocol allowing the source address to be
> configured to be the IPv4 address assigned to some other node.
> This clearly doesn't work for many reasons such as ICMPv4 errors wouldn't be
> sent back to the encapsulator.

My concern with this is that configuring such address (not assigned on 
the node) is essentially misconfiguration by the administrator of the 
node.

Should IETF protocol specifications be concerned of such kind of
misconfiguration?  There are a LOT of different ways the admins can
render the protocols inoperable by misconfiguring them badly....

Some implementations will want to check that, no matter whether it
reads in the spec or not; some others might not want to bother, rather
relying that when the admin configures something, there must be a
reason for it. __And if the tunnel doesn't work, that's
administrator's problem due to misconfiguration, not the protocol's,
so it's arguable that the tunnel not working would be a feature, not a
bug__.

I just checked 4 different implementations: Linux, BSD, Cisco and
Juniper.  All of them "allow" the administrator to misconfigure the
source addresses.  This would seem like a hint that the implementors
want to give the power to the administrators, or not bother with
additional checks. I'd be interested if you know of implementations
which check the tunnel source address at configuration time?

If I read correctly what you refer to with "minor clarification", I
think you would be satisfied with just a hint to the implementors that
they might want to check that the source addresses belong to the node,
but add no MAY/SHOULD/MUST terminology.  Correct?

-- 
Pekka Savola                 "You each name yourselves king, yet the
Netcore Oy                    kingdom bleeds."
Systems. Networks. Security. -- George R.R. Martin: A Clash of Kings

Follow-Ups:
- Re: misconfiguring the tunnel source address [mech-v2-04]
  - From: Vladislav Yasevich <vladislav.yasevich@hp.com>
- Re: misconfiguring the tunnel source address [mech-v2-04]
  - From: Erik Nordmark <Erik.Nordmark@sun.com>

References:
- Re: 12 Problems with "draft-ietf-v6ops-mech-v2-04.txt" : was RE: Reminder: clarification....
  - From: Erik Nordmark <Erik.Nordmark@sun.com>

Prev by Date: Re: 12 Problems with "draft-ietf-v6ops-mech-v2-04.txt" : was RE: Reminder: clarification....
Next by Date: Re: misconfiguring the tunnel source address [mech-v2-04]
Previous by thread: Re: 12 Problems with "draft-ietf-v6ops-mech-v2-04.txt" : was RE: Reminder: clarification....
Next by thread: Re: misconfiguring the tunnel source address [mech-v2-04]
Index(es):
- Date
- Thread