[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: ICMP message for ingress filtering



Iljitsch,

Hi shimmers,

After a discussion about performing proxy shim operation and the acceptability of NAT for that, it occurs to me that we never actually solved the ingress filtering issue.

When a host connects to ISPs A and B and then sends a packet with a source address from ISP A's address range out to ISP B, it's likely that ISP B will drop the packet because it has an "invalid" source address. Solving this in the general case is non-trivial, but I think it should be possible to get us most of the way there with a fairly simple mechanism: a new "source address prohibited" ICMP message. Just like when a host receives a "destination unreachable" message it tries a different destination address, receiving a "source address prohibited" message would make the host try a different source address.

In the last update to ICMPv6 RFC4443, we added a Code to the Destination Unreachable ICMP error message:

        5 - Source address failed ingress/egress policy

If the reason for the failure to deliver is that the packet with this
   source address is not allowed due to ingress or egress filtering
   policies, the Code field is set to 5.

A code for Reject Routes was also added.

The intent was to solve the problem as you described. It, of course, doesn't help with ICMP(v4).

Bob



Since this isn't a shim6- or even IPv6-specific issue (IPv4 hosts can also have multiple addresses, it's just not all that common) this would probably have to happen in the internet area working group but I thought I'd ask for feedback from this wg first.

The reason this came up in regard to shim6 proxying is that if a host behind such a proxy has ULA addresses or another address type with similar properties, it would be necessary to perform NAT to communicate with legacy IPv6 destinations. If you give the host behind the proxy regular PA addresses on the other hand, you are still largely bound by the limitations of those addresses. Alternatively, we could give a proxied host both ULA-like identifier addresses for use towards shim6-capable destinations and regular PA addresses for use towards legacy destinations. RFC 3484 address selection should help select the right source address here, but this isn't fool proof. So in case the host selects the wrong type of address, the proxy could send back a "source address prohibited" ICMP message and the host would retry with a different source address.

It would be good to get this into host IPv6 stacks even if routers won't support it immediately so that we can make use of this when we create shim6 proxies.

An ICMP message like this would also be useful for sites that would like to use ULA addressing for their internal network but regular addresses for connectivity to the internet.