[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Teredo and draft-davies-v6ops-icmpv6-filtering-bcp-00

To: Rémi Denis-Courmont <Remi.Denis-Courmont@via.ecp.fr>
Subject: Re: Teredo and draft-davies-v6ops-icmpv6-filtering-bcp-00
From: Elwyn Davies <elwynd@dial.pipex.com>
Date: Fri, 19 Aug 2005 21:04:26 +0100
Cc: v6ops@ops.ietf.org
In-reply-to: <200508192154.37886.Remi.Denis-Courmont@via.ecp.fr>
References: <200508192154.37886.Remi.Denis-Courmont@via.ecp.fr>
User-agent: Mozilla Thunderbird 1.0.2 (Windows/20050317)

Thanks for pointing this out. Janos and I are working on a new version of the draft and we will point this out.

I'll check the security discussions in the Teredo draft to see what it says on the subject.

Regards,
elwyn

Rémi Denis-Courmont wrote:

	Hello,
draft-davies-v6ops-icmpv6-filtering-bcp-00 suggests (§ 4.2) filtering incoming ICMPv6 Echo requests, and, optionaly, outgoing ones.

I do understand they are security motivation for doing so. Yet, while that might be seen as an abuse of ping6, Teredo tunneling, which seems to be going for RFC, needs ping6 to establish symmetric routing of IPv6 packets between a Teredo client and a native (or tunneled otherwise) IPv6 node.

If these packets go unresponded, the IPv6 node becomes completely unreachable from the Teredo client (regardless which of both actually is the "initiator" of the data exchange).

IMHO, it should at least be worth mentioning as a side effect in the filtering draft, though there my be objections that I'm not aware of.
Regards,

References:
- Teredo and draft-davies-v6ops-icmpv6-filtering-bcp-00
  - From: RÃmi Denis-Courmont <Remi.Denis-Courmont@via.ecp.fr>

Prev by Date: Teredo and draft-davies-v6ops-icmpv6-filtering-bcp-00
Next by Date: Re: Last Call on draft-ietf-v6ops-security-overview-02.txt
Previous by thread: Teredo and draft-davies-v6ops-icmpv6-filtering-bcp-00
Index(es):
- Date
- Thread