Re: draft-ietf-v6ops-icmpv6-filtering-recs to informational

[Iljitsch van Beijnum <iljitsch@muada.com>]

On 14-jun-2006, at 2:29, Fred Baker wrote:

> As to my comment on the Hop Limit, I did read the document. It  
> states, in several places, that the recommendation is that the Hop  
> Limit be set to 255 and tested for still being 255 on receipt.

That's not a recommendation, it's a requirement.

> What I stated was that I would go at it a different way. If the  
> packet is sent with Hop Limit = 1, it cannot pass a compliant  
> router or firewall, so there is no need to test for whether it did  
> or didn't. My way is, I think, more robust - it depends only on the  
> sender, not the sender and the receiver. But you note that I didn't  
> require a change to suit my fancy either.

Setting and checking for 255 is a security feature: this makes it  
impossible for an attacker sitting behind one or more routers to  
spoof a packet that seems to originate on the local link, which can  
be done with 1.

And of course setting the hop limit to 1 and checking for 255 doesn't  
work, as we learned when trying to apply the same mechanism to BGP.

If vendors don't bother implementing the check for 255, the solution  
is for users to find a better vendor, not reward that behavior by  
relaxing security features.