[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: IPv6 Type 0 Routing Header issues

To: v6ops@ops.ietf.org
Subject: Re: IPv6 Type 0 Routing Header issues
From: Ed Jankiewicz <edward.jankiewicz@sri.com>
Date: Wed, 25 Apr 2007 11:13:09 -0400
Cc: Rob Austein <sra@isc.org>, ipv6@ietf.org, ipv6-ops@lists.cluenet.de, "nav6tf@ipv6forum.com" <nav6tf@ipv6forum.com>
In-reply-to: <20070425141336.E95D522875@thrintun.hactrn.net>
References: <462D4706.4000504@spaghetti.zurich.ibm.com> <462E7AB4.3050807@piuha.net> <m2mz0xp6je.wl%gnn@neville-neil.com> <20070425093402.A30586@mignon.ki.iif.hu> <20070425141336.E95D522875@thrintun.hactrn.net>
User-agent: Thunderbird 1.5.0.10 (Windows/20070221)

I am facing a similar dilemma. Currently editing version 2.0 draft ofthe US DoD "DISR Product Profiles for IPv6" and considering adding aTHOU SHALT NOT or at least "it would be a great idea if you didn't"forward based on RH0 due to this vulnerability. At the very least Iwill note this risk, suggesting that vendors SHOULD provide a means ofdisabling RH0, and also consider disabling by default.

Especially interested in strong opinions from vendors about difficultyin complying if that were the case. Cross posting to NAv6TF as well,but please reply directly to ed.jankiewicz@sri.com and avoid clutteringup the lists with specific objections and suggestions. I will summarizeback to the lists.


Thanks
Ed J.

Rob Austein wrote:

At Wed, 25 Apr 2007 09:41:09 +0200 (CEST), Mohacsi Janos wrote:

The current patch provided by OpenBSD/FreeBSD makes *BSD IPv6
implemenation non-conformant to standard.


Sometimes violating the standard is the only reasonable thing for an
implementor to do.  The (IPv4) stack I worked on back in the '90s
shipped with forwarding of directed broadcast disabled by default,
long before anybody had heard of a "smurf attack".  The stack had a
compile-time option to enable forwarding of directed broadcast; from
memory, the documentation for that option went something like this:

  "This option exists solely to allow this software to comply with RFC
  1812.  Directed broadcast is dangerous, no matter what RFC 1812
  says.  Never enable this option under any circumstances."

Eventually the IETF gathered the collective will to update the
standard, but as implementors we would have been derelict in our duty
to our customers had we waited for the IETF.


--
Ed Jankiewicz - SRI International

Fort Monmouth Branch Office - IPv6 ResearchSupporting DISA Standards Engineering Branch732-389-1003 or ed.jankiewicz@sri.com

Follow-Ups:
- RE: IPv6 Type 0 Routing Header issues
  - From: "Tony Hain" <alh-ietf@tndh.net>

References:
- IPv6 Type 0 Routing Header issues
  - From: Jeroen Massar <jeroen@unfix.org>
- Re: IPv6 Type 0 Routing Header issues
  - From: Jari Arkko <jari.arkko@piuha.net>
- Re: IPv6 Type 0 Routing Header issues
  - From: "George V. Neville-Neil" <gnn@neville-neil.com>
- Re: IPv6 Type 0 Routing Header issues
  - From: Mohacsi Janos <mohacsi@niif.hu>
- Re: IPv6 Type 0 Routing Header issues
  - From: Rob Austein <sra@isc.org>

Prev by Date: Re: IPv6 Type 0 Routing Header issues
Next by Date: Fwd: Question for IPv6 w.g. on [Re: IPv6 Type 0 Routing Header issues]
Previous by thread: Re: IPv6 Type 0 Routing Header issues
Next by thread: RE: IPv6 Type 0 Routing Header issues
Index(es):
- Date
- Thread