Re: draft-ietf-ipv6-deprecate-rh0-01-candidate-00 - ingress filtering

[itojun at itojun.org (Jun-ichiro itojun Hagino 2.0)]

> > 	i'm writing it with an assumption that nodes would perform ingress
> > 	filtering against packets with source-routing header properly - yup,
> > 	they CANNOT perform ingress filtering due to the existence and the
> > 	nature of the source-routing.  it is natural for source-routed packets
> > 	to have its source address which seems strange for normal ingress
> > 	filtering.  if nodes were to filter out source-routed packets based
> > 	on ingress filtering, those implementations are mistaken!
> 
> If I understand you correctly, you're either 1) assuming that ingress 
> filtering implementations would treat packets with a source 
> routing/rtheader differently, e.g., to allow all such packets 
> regardless of the source, or 2) arguing that the behaviour of an 
> "source-routing friendly" ingress filter should be to allow source 
> routing even with topologically incorrect source addresses.

	i guess i'm saying (2).

> I don't believe I've seen any implementation of uRPF or similar 
> filtering method that would do 1).
> 
> While the merits of 2) could be argued, I believe this is not the 
> right list to discuss how ingress filters could/should be more 
> source-routing friendly.
> 
> In either case, I believe currently deployed ingress filters will 
> practically block bouncing attacks with rh0 or ipv4 source routing.

	then, rthdr7 would need to rewrite source address on IPv6 header every
	intermediate hop, and use mobile-ip6 home address option for the real
	source address.  scary...
	i would not hold my breath for rthdr7.  ops guys, too bad...

itojun

--------------------------------------------------------------------
IETF IPv6 working group mailing list
ipv6 at ietf.org
Administrative Requests: https://www1.ietf.org/mailman/listinfo/ipv6
--------------------------------------------------------------------