On Wed, 5 Sep 2001, Francis Dupont wrote:
> In your previous mail you wrote:
>
> > => to have the choice of the transit ISP, not only the first one, is nice.
> > I'd like to get this feature in the kernel controlled by a policy, today
> > I have to hack my Cisco config to do the same thing, this is not scalable.
>
> You could negotiate with your upstream to have routing header forwarding
> enabled.
>
> => I should not... Source routing is supposed to be enabled by default on
> routers, including my upstream ISP routers. The current situation for
> IPv4 is from laziness and FUD, I expect to get something better for IPv6.
As far as I see, the issues are basically the same. No one has bothered
to implement the firewall checks for verifying "legal" source-routes from
Source Route options either.
> > => to add a flag which controls the forwarding of source routed packets
> > won't make them non-compliant, just a bit more secure. I am afraid you
> > see requirements in RFC 2460 which are not in it.
>
> A flag will not, but how the flag would be set for hosts by default would
> :-)
>
> => where in RFC 2460 you have read that. I am still looking for this kind
> of statements and I can't find it.
the spec talks about node. Hosts and routers are both nodes.
> "Mobile IPv6? We don't need no MIPv6!"
>
> => I can't parse this.
Cutting out the redneck: "Mobile IPv6? We don't need MIPv6!"
Also see below.
> .. Unless you have a good suggestion on how to perform routing header
> sanity checks in a real firewall, I think we should close this thread.
>
> => first you have three possible position for a firewall:
> - filtering outbound traffic from your site
> - filtering inbound traffic to your site
> - inside the backbone
> For many reasons (speed, lack of good policy, ...), no firewall should be
> in the last position. About outbound traffic, I can't see a good reason to
> check source routes, so the issue is with inbound traffic.
Please also see above; why nobody bothered to do any checking for IPv4
source routes? I don't see people would be significantly more
enthusiastic about that with IPv6, _unless_ there are some new killer
applications using it _securely_.
> First you can reject source routed packets with a type != 0, and
> accept all with segment left == 0. Other source routed packets enter
> in one of three cases:
> - will bounce inside the site: apply a local policy (default is to reject
> packets but if you ask a peer to source route via a specified router (*)
> you may accept only packets via this router for instance).
> - will bounce outside the site: reject them if they are not special cases
> (testing tools for instance). Rate limit them!
Basically these cover all significant applications (except MIPv6) where
the packet would still be source-routed anywhere, yes? (If not, please
elaborate on how multihoming relations could be made abstract enough for a
firewall).
(one exception: if there is AH, return route will be source routed; this
will be ok, as the reflected path will be outside your own jurisdiction
anyway, and authenticated).
> - for mobile node: apply a local policy, for instance detect mobile nodes
> (home address option, binding updates (signaling), explicit negociation
> via AAA (my favorite because it works for home address options too))
> and recognize this case. This scheme has already been implemented
> so I can find more details...
Only problem with this is that I fail to see how you _really_ could
identify mobile nodes? Requiring state in the firewall for this is
probably unacceptable.
In general, short of the MN problem above these sound rather good.
Only, I would want to have something like this implemented in every router
(which would make the behaviour rather close to "disable by default",
except by mobile ipv6, if the problems can be identified).
--
Pekka Savola "Tell me of difficulties surmounted,
Netcore Oy not those you stumble over and fall"
Systems. Networks. Security. -- Robert Jordan: A Crown of Swords
--------------------------------------------------------------------
IETF IPng Working Group Mailing List
IPng Home Page: http://playground.sun.com/ipng
FTP archive: ftp://playground.sun.com/pub/ipng
Direct all administrative requests to [EMAIL PROTECTED]
--------------------------------------------------------------------
