[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: IPv6 Type 0 Routing Header issues
On Wed, Apr 25, 2007 at 09:41:09AM +0200, Mohacsi Janos wrote:
> I think this is not a solution. The problems of routing header type 0 well
> know by the community since long time. This has been documented for more
> than 2-3 years know (raised 4 years ago). Are there any consensus, that
> type 0 routing header should be deprecated? Until that it is documented to
> be filtered if there is no need for it. The current patch provided by
> OpenBSD/FreeBSD makes *BSD IPv6 implemenation non-conformant to standard.
Well, one could argue that the standard isn't very well-written then - a
machine that is a *host* should NEVER forward packets, period.
That's what we have routers for, and there is a well-defined way to
change a *BSD machine from a "host" to a "router" (turn on ip6.forwarding).
> I would rather focus on pf changes - allow filtering based on the routing
> header type. Currently you can filter based existence/non-existence of
> routing header type. This is currently clearly not enough....
Extending pf(4) accordingly would certainly be a good thing, as it could
help other machines behind a NetBSD firewall.
(BTW - what's pf(4) doing if a packet comes with with RH0? Which address
does it use for ACL checking, and which address is used for state setup?)
Total number of prefixes smaller than registry allocations: 113403
SpaceNet AG Vorstand: Sebastian v. Bomhard
Joseph-Dollinger-Bogen 14 Aufsichtsratsvors.: A. Grundner-Culemann
D-80807 Muenchen HRB: 136055 (AG Muenchen)
Tel: +49 (89) 32356-444 USt-IdNr.: DE813185279