[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: Comments on draft-wbeebee-ipv6-cpe-router-01.txt
Even if the CPE Router has a default router out the WAN interface to the
SP router, RPF may support a knob where "Allow default route to match
when checking source address" is not allowed. One can configure a
router to disable checking the default route to match src-addr by RPF.
shark(config-if)#ipv6 verify unicast source reachable-via rx ?
WORD Access-list name
allow-default Allow default route to match when checking source
address
<cr>
I have a spoofed packet with global src-addr input to the WAN interface
of a standalone CPE Router - the destination of this packet is the
global IPv6 address of a LAN interface. Strict uRPF check will check if
the src-addr is reachable by a path thru the input interface which is
the WAN interface. The WAN interface, which is also a routed port has
only a link-local address. So how can the global address have a path
thru the WAN interface that is assigned only a link-local address?
In general, if one even issues a ping to a global address and the ping
has to go out the WAN interface which only has a link-local address
configured, the ping will fail to head out because there is no valid
source address for destination. See a test from my IPv6 Cisco router
where I have assigned only a link-local address to the network interface
(FE80::205:FF:FEE0:74CE) that is supposed to send the ping out.
shark#ping 2001:420:3800:800:203:BAFF:FE11:B644
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 2001:420:3800:800:203:BAFF:FE11:B644,
timeout is 2 seconds:
% No valid source address for destination
Success rate is 0 percent (0/1)
shark#
shark#sh ipv6 int br
Ethernet0/0/0 [up/up]
unassigned
FastEthernet0/0/0 [up/up]
FE80::205:FF:FEE0:74CE
Hemant
-----Original Message-----
From: Antonio Querubin [mailto:tony@lava.net]
Sent: Tuesday, July 15, 2008 9:17 PM
To: Hemant Singh (shemant)
Cc: Ole Troan; Stark, Barbara; v6ops@ops.ietf.org
Subject: RE: Comments on draft-wbeebee-ipv6-cpe-router-01.txt
On Tue, 15 Jul 2008, Hemant Singh (shemant) wrote:
> Ole said: why do you need a global address on the WAN interface
> because the CPE router is a router??
>
> RPF (Reverse Path Forwarding) will fail and if RPF fails for a router,
> due to security concerns, the router should drop the incoming packet.
> If the WAN interface of the CPE Router does not have a global IPV6
> address, how is RPF going to work? RPF needs global IPv6 addresses.
I'm confused. How would RPF fail if the router will normally have a
default route out the WAN interface?
Antonio Querubin
whois: AQ7-ARIN