[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: Comments on draft-wbeebee-ipv6-cpe-router-01.txt

To: "Antonio Querubin" <tony@lava.net>
Subject: RE: Comments on draft-wbeebee-ipv6-cpe-router-01.txt
From: "Hemant Singh (shemant)" <shemant@cisco.com>
Date: Wed, 16 Jul 2008 07:43:47 -0400
Cc: "Ole Troan" <otroan@employees.org>, "Stark, Barbara" <bs7652@att.com>, <v6ops@ops.ietf.org>
In-reply-to: <Pine.BSI.4.64.0807151514250.23977@malasada.lava.net>
References: <B00EDD615E3C5344B0FFCBA910CF7E1D04E41EC4@xmb-rtp-20e.amer.cisco.com> <7582BC68E4994F4ABF0BD4723975C3FA09B24B65@crexc41p> <B00EDD615E3C5344B0FFCBA910CF7E1D04E41ED6@xmb-rtp-20e.amer.cisco.com> <7582BC68E4994F4ABF0BD4723975C3FA09B24DEB@crexc41p> <B00EDD615E3C5344B0FFCBA910CF7E1D04E41F54@xmb-rtp-20e.amer.cisco.com> <7582BC68E4994F4ABF0BD4723975C3FA09DDE79B@crexc41p> <B00EDD615E3C5344B0FFCBA910CF7E1D04E41F58@xmb-rtp-20e.amer.cisco.com> <7582BC68E4994F4ABF0BD4723975C3FA09DDE855@crexc41p> <2bbba3c10807151556k50e0acb8gc931dcf649f7034f@mail.gmail.com> <B00EDD615E3C5344B0FFCBA910CF7E1D04E41F5E@xmb-rtp-20e.amer.cisco.com> <2bbba3c10807151612k22d2a546i2d4af02593170866@mail.gmail.com> <B00EDD615E3C5344B0FFCBA910CF7E1D04E41F60@xmb-rtp-20e.amer.cisco.com> <Pine.BSI.4.64.0807151514250.23977@malasada.lava.net>

Even if the CPE Router has a default router out the WAN interface to the
SP router, RPF may support a knob where "Allow default route to match
when checking source address" is not allowed.  One can configure a
router to disable checking the default route to match src-addr by RPF.

shark(config-if)#ipv6 verify unicast source reachable-via rx ?
  WORD           Access-list name
  allow-default  Allow default route to match when checking source
address
  <cr>

I have a spoofed packet with global src-addr input to the WAN interface
of a standalone CPE Router - the destination of this packet is the
global IPv6 address of a LAN interface.  Strict uRPF check will check if
the src-addr is reachable by a path thru the input interface which is
the WAN interface. The WAN interface, which is also a routed port has
only a link-local address.  So how can the global address have a path
thru the WAN interface that is assigned only a link-local address?

In general, if one even issues a ping to a global address and the ping
has to go out the WAN interface which only has a link-local address
configured, the ping will fail to head out because there is no valid
source address for destination.  See a test from my IPv6 Cisco router
where I have assigned only a link-local address to the network interface
(FE80::205:FF:FEE0:74CE) that is supposed to send the ping out. 

shark#ping 2001:420:3800:800:203:BAFF:FE11:B644

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 2001:420:3800:800:203:BAFF:FE11:B644,
timeout is 2 seconds:

% No valid source address for destination
Success rate is 0 percent (0/1)
shark#
shark#sh ipv6 int br
Ethernet0/0/0              [up/up]
    unassigned
FastEthernet0/0/0          [up/up]
    FE80::205:FF:FEE0:74CE

Hemant  

-----Original Message-----
From: Antonio Querubin [mailto:tony@lava.net] 
Sent: Tuesday, July 15, 2008 9:17 PM
To: Hemant Singh (shemant)
Cc: Ole Troan; Stark, Barbara; v6ops@ops.ietf.org
Subject: RE: Comments on draft-wbeebee-ipv6-cpe-router-01.txt

On Tue, 15 Jul 2008, Hemant Singh (shemant) wrote:

> Ole said: why do you need a global address on the WAN interface 
> because the CPE router is a router??
>
> RPF (Reverse Path Forwarding) will fail and if RPF fails for a router,

> due to security concerns, the router should drop the incoming packet. 
> If the WAN interface of the CPE Router does not have a global IPV6 
> address, how is RPF going to work? RPF needs global IPv6 addresses.

I'm confused.  How would RPF fail if the router will normally have a
default route out the WAN interface?

Antonio Querubin
whois:  AQ7-ARIN

Follow-Ups:
- RE: Comments on draft-wbeebee-ipv6-cpe-router-01.txt
  - From: Antonio Querubin <tony@lava.net>
- Re: Comments on draft-wbeebee-ipv6-cpe-router-01.txt
  - From: "Ole Troan" <otroan@employees.org>

References:
- RE: new draft on IPv6 CPE router available for review
  - From: "Hemant Singh (shemant)" <shemant@cisco.com>
- RE: new draft on IPv6 CPE router available for review
  - From: "Stark, Barbara" <bs7652@att.com>
- RE: new draft on IPv6 CPE router available for review
  - From: "Hemant Singh (shemant)" <shemant@cisco.com>
- Comments on draft-wbeebee-ipv6-cpe-router-01.txt
  - From: "Stark, Barbara" <bs7652@att.com>
- RE: Comments on draft-wbeebee-ipv6-cpe-router-01.txt
  - From: "Hemant Singh (shemant)" <shemant@cisco.com>
- RE: Comments on draft-wbeebee-ipv6-cpe-router-01.txt
  - From: "Stark, Barbara" <bs7652@att.com>
- RE: Comments on draft-wbeebee-ipv6-cpe-router-01.txt
  - From: "Hemant Singh (shemant)" <shemant@cisco.com>
- RE: Comments on draft-wbeebee-ipv6-cpe-router-01.txt
  - From: "Stark, Barbara" <bs7652@att.com>
- Re: Comments on draft-wbeebee-ipv6-cpe-router-01.txt
  - From: "Ole Troan" <otroan@employees.org>
- RE: Comments on draft-wbeebee-ipv6-cpe-router-01.txt
  - From: "Hemant Singh (shemant)" <shemant@cisco.com>
- Re: Comments on draft-wbeebee-ipv6-cpe-router-01.txt
  - From: "Ole Troan" <otroan@employees.org>
- RE: Comments on draft-wbeebee-ipv6-cpe-router-01.txt
  - From: "Hemant Singh (shemant)" <shemant@cisco.com>
- RE: Comments on draft-wbeebee-ipv6-cpe-router-01.txt
  - From: Antonio Querubin <tony@lava.net>

Prev by Date: Re: Comments on draft-wbeebee-ipv6-cpe-router-01.txt
Next by Date: RE: Comments on draft-wbeebee-ipv6-cpe-router-01.txt
Previous by thread: RE: Comments on draft-wbeebee-ipv6-cpe-router-01.txt
Next by thread: Re: Comments on draft-wbeebee-ipv6-cpe-router-01.txt
Index(es):
- Date
- Thread