[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: IPv6 Type 0 Routing Header issues

To: "'Ed Jankiewicz'" <edward.jankiewicz@sri.com>, <v6ops@ops.ietf.org>
Subject: RE: IPv6 Type 0 Routing Header issues
From: "Tony Hain" <alh-ietf@tndh.net>
Date: Thu, 26 Apr 2007 15:44:50 -0700
Cc: "'Rob Austein'" <sra@isc.org>, <ipv6@ietf.org>, <ipv6-ops@lists.cluenet.de>, <nav6tf@ipv6forum.com>
In-reply-to: <462F7005.50700@sri.com>
References: <462D4706.4000504@spaghetti.zurich.ibm.com> <462E7AB4.3050807@piuha.net> <m2mz0xp6je.wl%gnn@neville-neil.com> <20070425093402.A30586@mignon.ki.iif.hu> <20070425141336.E95D522875@thrintun.hactrn.net> <462F7005.50700@sri.com>
Reply-to: <alh-ietf@tndh.net>

Before you kill this off too quickly, James Woodyatt's proxy redirection is
a perfect example of a use for Type 0 Routing Headers. He wants the firewall
to redirect traffic through a designated point (what this header was
designed to do), and the only hammer at his immediate disposal was IPv6/IPv6
nat. 

It is certainly reasonable to have a BCP that says 'these should be filtered
at policy boundaries unless there is a good reason to do otherwise', but
they are a tool to solve some very specific corner cases. 

Tony


> -----Original Message-----
> From: owner-v6ops@ops.ietf.org [mailto:owner-v6ops@ops.ietf.org] On
> Behalf Of Ed Jankiewicz
> Sent: Wednesday, April 25, 2007 8:13 AM
> To: v6ops@ops.ietf.org
> Cc: Rob Austein; ipv6@ietf.org; ipv6-ops@lists.cluenet.de;
> nav6tf@ipv6forum.com
> Subject: Re: IPv6 Type 0 Routing Header issues
> 
> I am facing a similar dilemma.  Currently editing version 2.0 draft of
> the US DoD "DISR Product Profiles for IPv6" and considering adding a
> THOU SHALT NOT or at least "it would be a great idea if you didn't"
> forward based on RH0 due to this vulnerability.  At the very least I
> will note this risk, suggesting that vendors SHOULD provide a means of
> disabling RH0, and also consider disabling by default.
> 
> Especially interested in strong opinions from vendors about difficulty
> in complying if that were the case.  Cross posting to NAv6TF as well,
> but please reply directly to ed.jankiewicz@sri.com and avoid cluttering
> up the lists with specific objections and suggestions.  I will summarize
> back to the lists.
> 
> Thanks
> Ed J.
> 
> Rob Austein wrote:
> > At Wed, 25 Apr 2007 09:41:09 +0200 (CEST), Mohacsi Janos wrote:
> >
> >> The current patch provided by OpenBSD/FreeBSD makes *BSD IPv6
> >> implemenation non-conformant to standard.
> >>
> >
> > Sometimes violating the standard is the only reasonable thing for an
> > implementor to do.  The (IPv4) stack I worked on back in the '90s
> > shipped with forwarding of directed broadcast disabled by default,
> > long before anybody had heard of a "smurf attack".  The stack had a
> > compile-time option to enable forwarding of directed broadcast; from
> > memory, the documentation for that option went something like this:
> >
> >   "This option exists solely to allow this software to comply with RFC
> >   1812.  Directed broadcast is dangerous, no matter what RFC 1812
> >   says.  Never enable this option under any circumstances."
> >
> > Eventually the IETF gathered the collective will to update the
> > standard, but as implementors we would have been derelict in our duty
> > to our customers had we waited for the IETF.
> >
> >
> 
> --
> Ed Jankiewicz - SRI International
> Fort Monmouth Branch Office - IPv6 Research
> Supporting DISA Standards Engineering Branch
> 732-389-1003 or  ed.jankiewicz@sri.com
>

References:
- IPv6 Type 0 Routing Header issues
  - From: Jeroen Massar <jeroen@unfix.org>
- Re: IPv6 Type 0 Routing Header issues
  - From: Jari Arkko <jari.arkko@piuha.net>
- Re: IPv6 Type 0 Routing Header issues
  - From: "George V. Neville-Neil" <gnn@neville-neil.com>
- Re: IPv6 Type 0 Routing Header issues
  - From: Mohacsi Janos <mohacsi@niif.hu>
- Re: IPv6 Type 0 Routing Header issues
  - From: Rob Austein <sra@isc.org>
- Re: IPv6 Type 0 Routing Header issues
  - From: Ed Jankiewicz <edward.jankiewicz@sri.com>

Prev by Date: RE: The argument for writing a general purpose NAT for IPv6
Next by Date: Re: The argument for writing a general purpose NAT for IPv6
Previous by thread: Re: IPv6 Type 0 Routing Header issues
Next by thread: Re: IPv6 Type 0 Routing Header issues
Index(es):
- Date
- Thread