[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: draft-ietf-v6ops-icmpv6-filtering-recs to informational
On 13-jun-2006, at 21:52, Fred Baker wrote:
The real value in this document, besides suggesting appropriate
firewall configurations, is in the lines of reasoning presented for
the configuration elements. For example, a router solicitation by
definition travels from a host seeking a first hop router to a
system that it is directly connected to at a lower layer such as a
wired or wireless Ethernet. The document recommends that this class
of message never be forwarded, and one in fact hopes that not only
would it not be forwarded, but that the originator would set TTL=1
to prevent the occurrence even if the router were misconfigured.
RFC 2461:
6.1.1. Validation of Router Solicitation Messages
Hosts MUST silently discard any received Router Solicitation
Messages.
A router MUST silently discard any received Router Solicitation
messages that do not satisfy all of the following validity checks:
- The IP Hop Limit field has a value of 255, i.e., the packet
could not possibly have been forwarded by a router.
Although the document mentions using the hop limit at 255 as a
security feature, I think this could be more prominent, as it may
give people a reason to forego some or even all ICMPv6 filtering.
As such, the document collects a fair bit of wisdom from which the
unschooled can learn.
You're making me bite my tongue here, Fred...
1.b) Has the document had adequate review from both key WG members
and key non-WG members? Do you have any concerns about the
depth or breadth of the reviews that have been performed?
This document has been through working group review since its
introduction about a year ago. This version responds to comments
presented during working group last call in May 2006. I believe
that it has had adequate review.
Please have the use of "hop count" changed to "hop limit" in the
document to reflect the actual name of the field.