[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: draft-ietf-v6ops-icmpv6-filtering-recs to informational

To: "Fred Baker" <fred@cisco.com>, "Iljitsch van Beijnum" <iljitsch@muada.com>, "David Kessens" <david.kessens@nokia.com>, "Gert Doering" <gert@space.net>
Subject: Re: draft-ietf-v6ops-icmpv6-filtering-recs to informational
From: rfgraveman@nac.net
Date: Wed, 14 Jun 2006 13:46:59 -0400 (EDT)
Cc: v6ops@ops.ietf.org
In-reply-to: <20060614152811.GK53070@Space.Net>
References: <A6007915-F387-44E1-B8B2-69A1B21DA673@cisco.com> <920B9F26-1848-42A2-AF1D-64837FABBD4A@muada.com> <8811945A-7AFD-4C5B-9A7F-3FEB6E3C573D@cisco.com> <E7CBFE9E-406B-44C2-953E-C637EAB52574@muada.com> <9344B322-C7AF-4E31-964C-E44B8F308978@cisco.com> <20060614152811.GK53070@Space.Net>
User-agent: SquirrelMail/1.4.5

Just a couple of comments on this.

First, we should remember that all this hop count checking is pretty weak
security for protocols that have mechanisms like IPsec and SEND available.
Anyone who sees a packet can mess around with it and resend it wherever
one chooses.

Second, I don't see much benefit to the hop count = 1 trick. If the sender
wants the packet not to be routed, send it to a destination address on the
same segment.

Third, the hop count = 255 trick may have some benefit if routers and
other packet forwarders (we have lots of them in IPv6) are behaving
properly. But remember, for example, that packets from anywhere popping
out an IPv6-in-IPv4 transition mechanism tunnel don't typically get their
hop count decremented, so 255 can mean anything at that point.

Rich Graveman

> On Tue, Jun 13, 2006 at 05:29:53PM -0700, Fred Baker wrote:
>> As to my comment on the Hop Limit, I did read the document. It
>> states, in several places, that the recommendation is that the Hop
>> Limit be set to 255 and tested for still being 255 on receipt. What I
>> stated was that I would go at it a different way. If the packet is
>> sent with Hop Limit = 1, it cannot pass a compliant router or
>> firewall, so there is no need to test for whether it did or didn't.
>> My way is, I think, more robust - it depends only on the sender, not
>> the sender and the receiver.
>
> Well, actually I tend to disagree.  If you're concerned about security,
> you must assume that the sender will do everything possible to break
> things - and that way, he will NOT be well-behaved and send out packets
> with a TTL of 1.
>
> Making the TTL=255? check on the receiver makes sure that the packet MUST
> come from a directly connected host - no matter how ill the intentions of
> the sender.
>
> Gert Doering
>         -- NetMaster
> --
> Total number of prefixes smaller than registry allocations:  92315
>
> SpaceNet AG                    Mail: netmaster@Space.Net
> Joseph-Dollinger-Bogen 14      Tel : +49-89-32356-0
> D- 80807 Muenchen              Fax : +49-89-32356-234
>
>
>

References:
- draft-ietf-v6ops-icmpv6-filtering-recs to informational
  - From: Fred Baker <fred@cisco.com>
- Re: draft-ietf-v6ops-icmpv6-filtering-recs to informational
  - From: Iljitsch van Beijnum <iljitsch@muada.com>
- Re: draft-ietf-v6ops-icmpv6-filtering-recs to informational
  - From: Fred Baker <fred@cisco.com>
- Re: draft-ietf-v6ops-icmpv6-filtering-recs to informational
  - From: Iljitsch van Beijnum <iljitsch@muada.com>
- Re: draft-ietf-v6ops-icmpv6-filtering-recs to informational
  - From: Fred Baker <fred@cisco.com>
- Re: draft-ietf-v6ops-icmpv6-filtering-recs to informational
  - From: Gert Doering <gert@space.net>

Prev by Date: Re: draft-ietf-v6ops-icmpv6-filtering-recs to informational
Next by Date: Re: draft-ietf-v6ops-icmpv6-filtering-recs to informational
Previous by thread: Re: draft-ietf-v6ops-icmpv6-filtering-recs to informational
Next by thread: Re: draft-ietf-v6ops-icmpv6-filtering-recs to informational
Index(es):
- Date
- Thread