Richard Draves writes:
> > > My understanding of RFC 2460 is that all nodes, meaning
> > both hosts and
> > > routers, should process Routing Headers.
> >
> > It is mine as well, but that still doesn't make it sane or
> > safe behaviour; which is why I was gauging opinions on 1) how
> > you interpret RFC2460 and 2) how you should implement RFC2460
> > wrt. routing headers.
>
> After giving this some thought, I think RFC 2460 should be revised to
> incorporate some security precautions. I suggest two separate
> restrictions on Routing Header processing.
>
> 1. When processing a Routing Header, hosts should only forward the
> packet to another node via the same interface by which it arrived.
Is this to prevent bypass of firewall access control?
If so, why couldn't you just reclassify the packet
after you pop the routing header against the firewall
rules again? I'd be a little worried about the implications
routing loops if you don't follow least cost routing.
(is this a really dumb question for a well known attack?)
> 2. When processing a Routing Header, nodes should compare the scope of
> the current and new destination addresses and only forward the packet if
> the new destination address has scope equal or greater than the old
> destination scope.
Again, this seems to be trying to enforce something
from within the routing system which is usually
enforced by access control lists at border gateways.
IP-IP encapsultation would yield the same result, and
it seems to me that you just want to set up a rule
at your site border router that just preclude site
local addresses from entering the site *regardless*
of how they get there. I'm a little worried that to
put in half-measures in ipv6's treatment of site/link
locals might lull people into a potentially false sense
of security if there are other cases which are missed.
Mike
--------------------------------------------------------------------
IETF IPng Working Group Mailing List
IPng Home Page: http://playground.sun.com/ipng
FTP archive: ftp://playground.sun.com/pub/ipng
Direct all administrative requests to [EMAIL PROTECTED]
--------------------------------------------------------------------
