Re: mech-v2-05pre

[Pekka Savola <pekkas@netcore.fi>]

On Tue, 24 Aug 2004, Fred Templin wrote:
> I have another comment for this document; in section 3.6, change:
> 
>   "The encapsulating IPv4 header is discarded."
> 
> to:
> 
>   "The encapsulating IPv4 header is discarded, and the version
>    encoded in the first 4 bits of encapsulated packet is checked.
>    (Procedures for handling packets with version other than 6 are
>    out of scope.)"

I'm not sure if that's really needed.

The first paragraph says:

  When an IPv6/IPv4 host or a router receives an IPv4 datagram that is 
   addressed to one of its own IPv4 addresses or a joined multicast
   group address, and the value of the protocol field is 41, the packet 
   is potentially a tunnel packet and needs to be verified to belong to
   one of the configured tunnel interfaces (by checking
   source/destination addresses), reassembled (if fragmented at the IPv4
   level), have the IPv4 header removed and the resulting IPv6 datagram 
   be submitted to the IPv6 layer code on the node.

(note tha last sentence.)

If the v6 layer code does not check the IP version first, why should 
we specify additional checks? 

Note that often the IP delivery is done based on lowe layer, e.g.,
ethernet protocol number, so if an IPv6 packet where the version is
not 6 it's usually silently discarded as a bug in the lower layer if
the implementation even checks that.  That being said, tunneling
provides an easier means to inject bogus packets than physical link
layers.

That said, if folks think it makes sense to spell this out, I'd rather
suggest placing the version check as a new paragraph after the one you
proposed, without the text in ()'s.

Opinions?

-- 
Pekka Savola                 "You each name yourselves king, yet the
Netcore Oy                    kingdom bleeds."
Systems. Networks. Security. -- George R.R. Martin: A Clash of Kings