[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Comments on draft-wbeebee-ipv6-cpe-router-01.txt

To: "Hemant Singh (shemant)" <shemant@cisco.com>
Subject: Re: Comments on draft-wbeebee-ipv6-cpe-router-01.txt
From: "Ole Troan" <otroan@employees.org>
Date: Wed, 16 Jul 2008 14:19:04 +0200
Cc: "Antonio Querubin" <tony@lava.net>, "Stark, Barbara" <bs7652@att.com>, v6ops@ops.ietf.org
Domainkey-signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:sender:to:subject:cc:in-reply-to:mime-version :content-type:content-transfer-encoding:content-disposition :references:x-google-sender-auth; b=OFv8+RY9uBtPwKbyixnrPCGtvm1l/Qw/MxZ2oHQCCD6V1cEQNvBkCTKYBL0nfPuVSt IOD3E/tbCQxP+z53d0w5gX33VI1ZkDb8uRYvxVJSgVQVe4HzQoeeNpruzH1u2fi5Vxy6 L7eAKmg9ETBZIbHTNJ3nKI+sT83tahY/dY3DE=
In-reply-to: <B00EDD615E3C5344B0FFCBA910CF7E1D04E41F61@xmb-rtp-20e.amer.cisco.com>
References: <B00EDD615E3C5344B0FFCBA910CF7E1D04E41EC4@xmb-rtp-20e.amer.cisco.com> <7582BC68E4994F4ABF0BD4723975C3FA09DDE79B@crexc41p> <B00EDD615E3C5344B0FFCBA910CF7E1D04E41F58@xmb-rtp-20e.amer.cisco.com> <7582BC68E4994F4ABF0BD4723975C3FA09DDE855@crexc41p> <2bbba3c10807151556k50e0acb8gc931dcf649f7034f@mail.gmail.com> <B00EDD615E3C5344B0FFCBA910CF7E1D04E41F5E@xmb-rtp-20e.amer.cisco.com> <2bbba3c10807151612k22d2a546i2d4af02593170866@mail.gmail.com> <B00EDD615E3C5344B0FFCBA910CF7E1D04E41F60@xmb-rtp-20e.amer.cisco.com> <Pine.BSI.4.64.0807151514250.23977@malasada.lava.net> <B00EDD615E3C5344B0FFCBA910CF7E1D04E41F61@xmb-rtp-20e.amer.cisco.com>

> Even if the CPE Router has a default router out the WAN interface to the
> SP router, RPF may support a knob where "Allow default route to match
> when checking source address" is not allowed.  One can configure a
> router to disable checking the default route to match src-addr by RPF.
>
> shark(config-if)#ipv6 verify unicast source reachable-via rx ?
>  WORD           Access-list name
>  allow-default  Allow default route to match when checking source
> address
>  <cr>
>
> I have a spoofed packet with global src-addr input to the WAN interface
> of a standalone CPE Router - the destination of this packet is the
> global IPv6 address of a LAN interface.  Strict uRPF check will check if
> the src-addr is reachable by a path thru the input interface which is
> the WAN interface. The WAN interface, which is also a routed port has
> only a link-local address.  So how can the global address have a path
> thru the WAN interface that is assigned only a link-local address?

see RFC3704.
the uRPF check is done in the FIB. independent of addresses configured
on the interfaces (apart from installed connected routes of course).

I don't see much value in running uRPF on receive for the WAN
interface. what isn't going to match the default route. you are only
protecting yourself from receiving packets spoofed with a source from
your own address space. as Antionio pointed out, doing it on the LAN
side has value.

> In general, if one even issues a ping to a global address and the ping
> has to go out the WAN interface which only has a link-local address
> configured, the ping will fail to head out because there is no valid
> source address for destination.  See a test from my IPv6 Cisco router
> where I have assigned only a link-local address to the network interface
> (FE80::205:FF:FEE0:74CE) that is supposed to send the ping out.

that is also incorrect, and I can say that with some level of
confidence since I wrote the IOS source address selection code in my
previous life.
IOS implements the weak host model, and will use an address from
another interface if the outgoing interface doesn't have an address of
sufficient scope. you need to have at least _one_ address configured
on the box obviously.

this is in any case host behaviour.you said: "...IPv6 routing and data
forwarding breaks down if a routed interface of a router has only a
link-local address." any other examples?

> shark#ping 2001:420:3800:800:203:BAFF:FE11:B644
>
> Type escape sequence to abort.
> Sending 5, 100-byte ICMP Echos to 2001:420:3800:800:203:BAFF:FE11:B644,
> timeout is 2 seconds:
>
> % No valid source address for destination
> Success rate is 0 percent (0/1)
> shark#
> shark#sh ipv6 int br
> Ethernet0/0/0              [up/up]
>    unassigned
> FastEthernet0/0/0          [up/up]
>    FE80::205:FF:FEE0:74CE

/ot

References:
- RE: new draft on IPv6 CPE router available for review
  - From: "Hemant Singh (shemant)" <shemant@cisco.com>
- RE: Comments on draft-wbeebee-ipv6-cpe-router-01.txt
  - From: "Stark, Barbara" <bs7652@att.com>
- RE: Comments on draft-wbeebee-ipv6-cpe-router-01.txt
  - From: "Hemant Singh (shemant)" <shemant@cisco.com>
- RE: Comments on draft-wbeebee-ipv6-cpe-router-01.txt
  - From: "Stark, Barbara" <bs7652@att.com>
- Re: Comments on draft-wbeebee-ipv6-cpe-router-01.txt
  - From: "Ole Troan" <otroan@employees.org>
- RE: Comments on draft-wbeebee-ipv6-cpe-router-01.txt
  - From: "Hemant Singh (shemant)" <shemant@cisco.com>
- Re: Comments on draft-wbeebee-ipv6-cpe-router-01.txt
  - From: "Ole Troan" <otroan@employees.org>
- RE: Comments on draft-wbeebee-ipv6-cpe-router-01.txt
  - From: "Hemant Singh (shemant)" <shemant@cisco.com>
- RE: Comments on draft-wbeebee-ipv6-cpe-router-01.txt
  - From: Antonio Querubin <tony@lava.net>
- RE: Comments on draft-wbeebee-ipv6-cpe-router-01.txt
  - From: "Hemant Singh (shemant)" <shemant@cisco.com>

Prev by Date: RE: Comments on draft-wbeebee-ipv6-cpe-router-01.txt
Next by Date: RE: Comments on draft-wbeebee-ipv6-cpe-router-01.txt
Previous by thread: RE: Comments on draft-wbeebee-ipv6-cpe-router-01.txt
Next by thread: RE: Comments on draft-wbeebee-ipv6-cpe-router-01.txt
Index(es):
- Date
- Thread