[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: draft-ietf-v6ops-icmpv6-filtering-recs to informational

To: Iljitsch van Beijnum <iljitsch@muada.com>
Subject: Re: draft-ietf-v6ops-icmpv6-filtering-recs to informational
From: Elwyn Davies <elwynd@dial.pipex.com>
Date: Wed, 28 Jun 2006 10:58:54 +0100
Cc: Fred Baker <fred@cisco.com>, David Kessens <david.kessens@nokia.com>, v6ops@ops.ietf.org
In-reply-to: <920B9F26-1848-42A2-AF1D-64837FABBD4A@muada.com>
References: <A6007915-F387-44E1-B8B2-69A1B21DA673@cisco.com> <920B9F26-1848-42A2-AF1D-64837FABBD4A@muada.com>
User-agent: Thunderbird 1.5.0.4 (Windows/20060516)

[Having returned from holiday..]

Note: We are talking about draft-v6ops-icmpv6-filtering-recs-01.


Iljitsch van Beijnum wrote:

On 13-jun-2006, at 21:52, Fred Baker wrote:
The real value in this document, besides suggesting appropriatefirewall configurations, is in the lines of reasoning presented forthe configuration elements. For example, a router solicitation bydefinition travels from a host seeking a first hop router to a systemthat it is directly connected to at a lower layer such as a wired orwireless Ethernet. The document recommends that this class of messagenever be forwarded, and one in fact hopes that not only would it notbe forwarded, but that the originator would set TTL=1 to prevent theoccurrence even if the router were misconfigured.
RFC 2461:

6.1.1.  Validation of Router Solicitation Messages

   Hosts MUST silently discard any received Router Solicitation
   Messages.

   A router MUST silently discard any received Router Solicitation
   messages that do not satisfy all of the following validity checks:

      - The IP Hop Limit field has a value of 255, i.e., the packet
        could not possibly have been forwarded by a router.
Although the document mentions using the hop limit at 255 as asecurity feature, I think this could be more prominent, as it may givepeople a reason to forego some or even all ICMPv6 filtering.
As such, the document collects a fair bit of wisdom from which theunschooled can learn.
You're making me bite my tongue here, Fred...

The draft itself is quite clear and accurate about the hop limit fieldin Router Solicitations (s 4.2.3 notes they must be received with hoplimit = 255). Fred's gloss needs to be corrected - a different examplein the proto questionnaire would be better!

   1.b) Has the document had adequate review from both key WG members
        and key non-WG members?  Do you have any concerns about the
        depth or breadth of the reviews that have been performed?
This document has been through working group review since itsintroduction about a year ago. This version responds to commentspresented during working group last call in May 2006. I believe thatit has had adequate review.
Please have the use of "hop count" changed to "hop limit" in thedocument to reflect the actual name of the field.

This was corrected in the changes from -00 to -01.

Regards,
Elwyn

References:
- draft-ietf-v6ops-icmpv6-filtering-recs to informational
  - From: Fred Baker <fred@cisco.com>
- Re: draft-ietf-v6ops-icmpv6-filtering-recs to informational
  - From: Iljitsch van Beijnum <iljitsch@muada.com>

Prev by Date: RE: IESG review of draft-ietf-v6ops-ent-analysis-06.txt
Next by Date: Re: draft-ietf-v6ops-icmpv6-filtering-recs to informational
Previous by thread: Re: draft-ietf-v6ops-icmpv6-filtering-recs to informational
Next by thread: Re: draft-ietf-v6ops-icmpv6-filtering-recs to informational
Index(es):
- Date
- Thread