[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: mech-v2-05pre

To: Pekka Savola <pekkas@netcore.fi>, Fred Templin <osprey67@yahoo.com>
Subject: Re: mech-v2-05pre
From: Radhakrishnan Suryanarayanan <rkrishnan.s@samsung.com>
Date: Wed, 25 Aug 2004 09:54:42 +0530
Cc: Erik Nordmark <Erik.Nordmark@sun.com>, v6ops@ops.ietf.org, Alex Conta <aconta@txc.com>
Organization: SAMSUNG India Software Operations
References: <Pine.LNX.4.44.0408242156310.3519-100000@netcore.fi>
Reply-to: Radhakrishnan Suryanarayanan <rkrishnan.s@samsung.com>

Hi pekka,
 as soon as the packet is decapsulated, we should do the version 6 check.

----- Original Message ----- 
From: "Pekka Savola" <pekkas@netcore.fi>
To: "Fred Templin" <osprey67@yahoo.com>
Cc: "Erik Nordmark" <Erik.Nordmark@sun.com>; <v6ops@ops.ietf.org>; "Alex
Conta" <aconta@txc.com>
Sent: Wednesday, August 25, 2004 12:39 AM
Subject: Re: mech-v2-05pre


> On Tue, 24 Aug 2004, Fred Templin wrote:
> > I have another comment for this document; in section 3.6, change:
> >
> >   "The encapsulating IPv4 header is discarded."
> >
> > to:
> >
> >   "The encapsulating IPv4 header is discarded, and the version
> >    encoded in the first 4 bits of encapsulated packet is checked.
> >    (Procedures for handling packets with version other than 6 are
> >    out of scope.)"
>
> I'm not sure if that's really needed.
>
> The first paragraph says:
>
>   When an IPv6/IPv4 host or a router receives an IPv4 datagram that is
>    addressed to one of its own IPv4 addresses or a joined multicast
>    group address, and the value of the protocol field is 41, the packet
>    is potentially a tunnel packet and needs to be verified to belong to
>    one of the configured tunnel interfaces (by checking
>    source/destination addresses), reassembled (if fragmented at the IPv4
>    level), have the IPv4 header removed and the resulting IPv6 datagram
>    be submitted to the IPv6 layer code on the node.
>
> (note tha last sentence.)
>
> If the v6 layer code does not check the IP version first, why should
> we specify additional checks?
>
> Note that often the IP delivery is done based on lowe layer, e.g.,
> ethernet protocol number, so if an IPv6 packet where the version is
> not 6 it's usually silently discarded as a bug in the lower layer if
> the implementation even checks that.  That being said, tunneling
> provides an easier means to inject bogus packets than physical link
> layers.
>
> That said, if folks think it makes sense to spell this out, I'd rather
> suggest placing the version check as a new paragraph after the one you
> proposed, without the text in ()'s.
>
> Opinions?
>
> -- 
> Pekka Savola                 "You each name yourselves king, yet the
> Netcore Oy                    kingdom bleeds."
> Systems. Networks. Security. -- George R.R. Martin: A Clash of Kings
>
>
>

Follow-Ups:
- Re: mech-v2-05pre
  - From: "O.L.N.Rao" <olnrao@samsung.com>

References:
- Re: mech-v2-05pre
  - From: Pekka Savola <pekkas@netcore.fi>

Prev by Date: RE: About Teredo authentication indication
Next by Date: Re: mech-v2-05pre
Previous by thread: Re: mech-v2-05pre
Next by thread: Re: mech-v2-05pre
Index(es):
- Date
- Thread