[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: IPv6 Type 0 Routing Header issues

To: Mohacsi Janos <mohacsi@niif.hu>
Subject: Re: IPv6 Type 0 Routing Header issues
From: Gert Doering <gert@space.net>
Date: Wed, 25 Apr 2007 10:24:08 +0200
Cc: "George V. Neville-Neil" <gnn@neville-neil.com>, v6ops@ops.ietf.org, ipv6@ietf.org, Jari Arkko <jari.arkko@piuha.net>, IPv6 Ops list <ipv6-ops@lists.cluenet.de>
Comment: DomainKeys? See http://antispam.yahoo.com/domainkeys
Domainkey-signature: a=rsa-sha1; q=dns; c=nofws; s=testkey; d=space.net; b=YS4JIe8VdMNRa93/3kxi49PEl/oD5J+PxTSyQhPdZfiuYzF+LC856bjcWNJyLVSa ;
In-reply-to: <20070425093402.A30586@mignon.ki.iif.hu>
References: <462D4706.4000504@spaghetti.zurich.ibm.com> <462E7AB4.3050807@piuha.net> <m2mz0xp6je.wl%gnn@neville-neil.com> <20070425093402.A30586@mignon.ki.iif.hu>
User-agent: Mutt/1.4.2.1i

Hi,

On Wed, Apr 25, 2007 at 09:41:09AM +0200, Mohacsi Janos wrote:
> I think this is not a solution. The problems of routing header type 0 well 
> know by the community since long time. This has been documented for more 
> than 2-3 years know (raised 4 years ago). Are there any consensus, that 
> type 0 routing header should be deprecated? Until that it is documented to
>  be filtered if there is no need for it. The current patch provided by 
> OpenBSD/FreeBSD makes *BSD IPv6 implemenation non-conformant to standard. 

Well, one could argue that the standard isn't very well-written then - a 
machine that is a *host* should NEVER forward packets, period.

That's what we have routers for, and there is a well-defined way to 
change a *BSD machine from a "host" to a "router" (turn on ip6.forwarding).

> I would rather focus on pf changes - allow filtering based on the routing 
> header type. Currently you can filter based existence/non-existence of 
> routing header type. This is currently clearly not enough....

Extending pf(4) accordingly would certainly be a good thing, as it could
help other machines behind a NetBSD firewall.

(BTW - what's pf(4) doing if a packet comes with with RH0?  Which address
does it use for ACL checking, and which address is used for state setup?)

Gert Doering
        -- NetMaster
-- 
Total number of prefixes smaller than registry allocations:  113403

SpaceNet AG                        Vorstand: Sebastian v. Bomhard
Joseph-Dollinger-Bogen 14          Aufsichtsratsvors.: A. Grundner-Culemann
D-80807 Muenchen                   HRB: 136055 (AG Muenchen)
Tel: +49 (89) 32356-444            USt-IdNr.: DE813185279

References:
- IPv6 Type 0 Routing Header issues
  - From: Jeroen Massar <jeroen@unfix.org>
- Re: IPv6 Type 0 Routing Header issues
  - From: Jari Arkko <jari.arkko@piuha.net>
- Re: IPv6 Type 0 Routing Header issues
  - From: "George V. Neville-Neil" <gnn@neville-neil.com>
- Re: IPv6 Type 0 Routing Header issues
  - From: Mohacsi Janos <mohacsi@niif.hu>

Prev by Date: Re: IPv6 Type 0 Routing Header issues
Next by Date: Re: IPv6 Type 0 Routing Header issues
Previous by thread: Re: IPv6 Type 0 Routing Header issues
Next by thread: Re: IPv6 Type 0 Routing Header issues
Index(es):
- Date
- Thread