[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: IPv6 Type 0 Routing Header issues
On Wed, Apr 25, 2007 at 09:41:09AM +0200, Mohacsi Janos wrote:
> I think this is not a solution. The problems of routing header type 0 well
> know by the community since long time. This has been documented for more
> than 2-3 years know (raised 4 years ago). Are there any consensus, that
> type 0 routing header should be deprecated? Until that it is documented to
> be filtered if there is no need for it. The current patch provided by
> OpenBSD/FreeBSD makes *BSD IPv6 implemenation non-conformant to standard.
> I would rather focus on pf changes - allow filtering based on the routing
> header type. Currently you can filter based existence/non-existence of
> routing header type.
It seems to me that there are at least two questions here. One is,
"Should IPv6 nodes process type 0 routing headers by default?" The
second is, "should the network allow type 0 routing headers to pass?"
This is a bit like they choice you have for blocking a smurf attack.
You can block it by turning off directed broadcasts (on the edge)
or you can block it by blocking ICMP packets throughout the network.
I think it may actually be that we do not want nodes to process
type 0 routing headers by default, but the network should pass them.
The reason for this is that the type 0 headers have useful applications
which could be secured by end hosts without getting the network
involved at all. Then end hosts that want to use the routing header
can, and those that don't are secure by default.
I could easily be wrong though...