[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Fwd: Re: draft-ietf-v6ops-icmpv6-filtering-bcp-00.txt comments
----- Forwarded message from elwynd@dial.pipex.com -----
Date: Tue, 08 Nov 2005 19:44:53 +0000
From: elwynd@dial.pipex.com
Reply-To: elwynd@dial.pipex.com
Subject: Re: draft-ietf-v6ops-icmpv6-filtering-bcp-00.txt comments
To: Stig Venaas <Stig.Venaas@uninett.no>
Quoting Stig Venaas <Stig.Venaas@uninett.no>:
> Hi
>
> Some comments on the ICMPv6 filtering draft.
>
> The main question I have is wheather you should talk about ICMP
> filtering on links. There are switches today that have some l3
> capabilities like doing ACL based IP filtering. The text currently
> seems to assume links are not filtered. If this filtering is done,
> I believe it might be good to mention filtering of RAs. It's very
> useful for an administrator to only accept RAs on the router port.
> There are several attacks possible through sending RAs.
At the moment the title says firewalls. We could add a section to talk about
filtering on switches if this acceptable to the chairs and list.
From my point of view it would make sense.
Fred, Kurt: do you have a view?
>
> Some other comments below.
>
> In section 2.3 it says:
>
> Local communications will use link-local addresses in many cases but
> may also use global unicast addresses for example when configuring
> global addresses.
>
> Huh? I have a hard time parsing this. What are you trying to say?
I agree maybe the words need a respin. The point is that some address
configuration messages are confined to the local link but use global addresses
because (for example) DAD is being done on the global address. Also the scopes
of source and destination can be mismatched.
>
> In section 2.4:
>
> firewalls for local delivery. Generally a firewall will also by
> s/by/be
OK.
^^
>
> In section 4.1:
>
> Many of the messages used for establishment of communications on the
> local link will be sent with link-local addresses for at least one of
> their source and destination. Routers (and firewalls) conforming to
> the IPv6 standards will not forward these packets; there is no need
> to configure additional rules to prevent these packets traversing the
> firewall/router. Also the specifications of ICMPv6 messages intended
>
> A firewall may be invisible at IP layer, at least if a firewall can be
> say a l3 switch with acls... I believe in general there are firewalls
> that forward packets without reducing hop count? Maybe needs to be better
> defined in the draft what is meant by the term "firewall"?
Hmm! That's a bit of an issue for all the various hop count 'tricks'. I hadn't
thought about that area. I must admit I have never thought about what the Linux
bridged firewall that I have at home does as regards hop count. So what we are
saying is that for the firewalls that aren't actually routers, you have to
actively filter transiting Category 3 (Ones that would be 'dropped anyway')
because you can't rely on the firewall changing the hop count. I think this is
the only place where it affects the rules.
It would be good to discuss the possibilities of firewalls are not acting as
routers a bit more (there is text somewhere about them 'generally being routers').
>
> Finally I see some mix of English English and US English in the draft.
I'll run it through a spell checker for some value of US or UK ;-)
Thanks,
Elwyn
>
> Stig
>
--
----- End forwarded message -----
--