RE: Question for IPv6 w.g. on [Re: IPv6 Type 0 Routing Header issues]

To: "'Brian E Carpenter'" <brc at zurich.ibm.com>, "'IETF IPv6 Mailing List'" <ipv6 at ietf.org>
Subject: RE: Question for IPv6 w.g. on [Re: IPv6 Type 0 Routing Header issues]
From: "Tony Hain" <alh-ietf at tndh.net>
Date: Thu, 26 Apr 2007 15:58:37 -0700
Cc:
In-reply-to: <46307C0E.9060809@zurich.ibm.com>
List-help: <mailto:ipv6-request@ietf.org?subject=help>
List-id: "IP Version 6 Working Group \(ipv6\)" <ipv6.ietf.org>
List-post: <mailto:ipv6@ietf.org>
List-subscribe: <https://www1.ietf.org/mailman/listinfo/ipv6>, <mailto:ipv6-request@ietf.org?subject=subscribe>
List-unsubscribe: <https://www1.ietf.org/mailman/listinfo/ipv6>, <mailto:ipv6-request@ietf.org?subject=unsubscribe>
References: <462D4706.4000504@spaghetti.zurich.ibm.com> <462E7AB4.3050807@piuha.net> <m2mz0xp6je.wl%gnn@neville-neil.com> <20070425093402.A30586@mignon.ki.iif.hu> <20070425141336.E95D522875@thrintun.hactrn.net> <462F7005.50700@sri.com> <CE11116E-DF68-481D-AB30-E592C339CEFB@nokia.com> <46307C0E.9060809@zurich.ibm.com>
Reply-to: alh-ietf at tndh.net
Thread-index: AceH7AuZvGsv1j2WTs60CpVyMXIfeAAaduHg

I thought we already limited to 1 RH0 per packet, but I will have to go back and take a closer look. 

As I said on V6ops, before you kill this off too quickly, James Woodyatt's proxy redirection is a perfect example of a valid use for Type 0 Routing Headers. He wants the firewall to redirect traffic through a designated point (what this header was designed to do), and the only hammer at his immediate disposal was IPv6/IPv6 nat. What I don't know is if the firewall can insert one that did not exist, because the source wouldn't know about his 'transparent' proxy. 

It is certainly reasonable to have a BCP that says 'these should be filtered at policy boundaries unless there is a good reason to do otherwise', but they are a tool to solve some very specific corner cases. I would say that firewalls should drop these by default, but the rest of the system should recognize them as normal.

Tony

> -----Original Message-----
> From: Brian E Carpenter [mailto:brc at zurich.ibm.com]
> Sent: Thursday, April 26, 2007 3:17 AM
> To: IETF IPv6 Mailing List
> Subject: Re: Question for IPv6 w.g. on [Re: IPv6 Type 0 Routing Header
> issues]
> 
> On 2007-04-26 02:39, Bob Hinden wrote:
> > [trimming this to just the IPv6 w.g.]
> >
> > We think the question for the IPv6 working group on this topic is does
> > the working group want to do anything to address the issues raised
> about
> > the Type 0 routing header.  Possible actions include:
> >
> >  1) Deprecate all usage of RH0
> >  2) Recommend that RH0 support be off by default in hosts and routers
> >  3) Recommend that RH0 support be off by default in hosts
> >  4) Limit it's usage to one RH0 per IPv6 packet and limit the number
> of
> > addresses in one RH0.
> 
> Excuse my ignorance, but have the following three rules ever been
> considered?
> 
> 1. The list of addresses in an RH0 MUST NOT include the packet's source
> address.
> 2. The same address MUST NOT occur more than once in an RH0.
> 3. A node processing an RH0 MUST discard any packet breaking these two
> rules.
> 
> I'd be interested in whether this would eliminate the various attacks.
> 
> (I'm not really advocating this, since it is added complexity for
> a feature that we don't obviously need anyway. But if we don't deprecate
> it, all the other options seem to leave the threats in place.)
> 
>       Brian
> 
> --------------------------------------------------------------------
> IETF IPv6 working group mailing list
> ipv6 at ietf.org
> Administrative Requests: https://www1.ietf.org/mailman/listinfo/ipv6
> --------------------------------------------------------------------

--------------------------------------------------------------------
IETF IPv6 working group mailing list
ipv6 at ietf.org
Administrative Requests: https://www1.ietf.org/mailman/listinfo/ipv6
--------------------------------------------------------------------

Follow-Ups:
- Re: Question for IPv6 w.g. on [Re: IPv6 Type 0 Routing Header issues]
  - From: james woodyatt

References:
- IPv6 Type 0 Routing Header issues
  - From: Jeroen Massar
- Re: IPv6 Type 0 Routing Header issues
  - From: Jari Arkko
- Re: IPv6 Type 0 Routing Header issues
  - From: George V. Neville-Neil
- Re: IPv6 Type 0 Routing Header issues
  - From: Mohacsi Janos
- Re: IPv6 Type 0 Routing Header issues
  - From: Rob Austein
- Re: IPv6 Type 0 Routing Header issues
  - From: Ed Jankiewicz
- Question for IPv6 w.g. on [Re: IPv6 Type 0 Routing Header issues]
  - From: Bob Hinden
- Re: Question for IPv6 w.g. on [Re: IPv6 Type 0 Routing Header issues]
  - From: Brian E Carpenter

Prev by Date: RE: IPv6 Type 0 Routing Header issues
Next by Date: Re: Question for IPv6 w.g. on [Re: IPv6 Type 0 Routing Header issues]
Previous by thread: Re: Question for IPv6 w.g. on [Re: IPv6 Type 0 Routing Header issues]
Next by thread: Re: Question for IPv6 w.g. on [Re: IPv6 Type 0 Routing Header issues]
Index(es):
- Date
- Thread

RE: Question for IPv6 w.g. on [Re: IPv6 Type 0 Routing Header issues]

Note: Messages sent to this list are the opinions of the senders and do not imply endorsement by the IETF.