Erik Nordmark wrote: > > > It seems that in mobileip wg, reflector attack scenarios were > > identified for routing headers in Savola's draft. One solution, > > which seems to me feasible to implement (no state needed), > > was to mandate segments left to 1 and check that the address > > in the routing header is owned by the receiving MN host. > > Seems these scenarios are not necessarily mobileip-specific. > > I am wondering, are routing headers in this wg considered > > a special-purpose mechanism that cannot be used? > > While such a check is reasonable for a host, a firewall can't actually > check this since it doesn't know the relationship between Care of Addresses > and Home Addresses. > I don't know how significant this issue is but given the concerns > expressed in Savola's draft about allowing general routing headers through > firewalls it seems worth-while to think about this and not immediately dismiss > it - having a separate packet format for routing headers (specifying > addresses of one ore more hops) from the ability to specify an extra > IP address for the destination *might* be the better thing to do.
I have some doubt on this being better. How I would understand this issue to apply is when a firewall e.g. would like to enforce: don't let source routed packets through but only packets with both addresses in the same end-host. Though the firewall can't know CoA-HAddr associations, it might not want to enforce these packets only to concern MNs. The same reflector attacks could also be done using non-MN hosts. When enforcing the above example firewall policy, maybe it could be less change-requiring to recommend the host-check rule also for non-MN's (CNs). Then, a firewall would allow only rthdrs with segments left 1 through. If reflector scenarios need to be avoided in the domain, end nodes need to enforce this. This because also tunneling to an end host can be made to reflect the inner packet to another host. Hence, a format change in a protocol may not be what is needed to address this issue, a rule in one form or another in the end hosts might be needed anyway. Inventing a new format could make the rule look implicit, though it needs to be enforced anyway in an implementation. Comparing to having a new message format, all hosts using it would anyway need to implement the new format. The host rule for rthdr would have the same scope of implementation change but with existing protocol messages, and the change would only be an added check in implementation of existing protocols, without protocol specification. Does this address the issue? > Erik BR, -Jari -------------------------------------------------------------------- IETF IPng Working Group Mailing List IPng Home Page: http://playground.sun.com/ipng FTP archive: ftp://playground.sun.com/pub/ipng Direct all administrative requests to [EMAIL PROTECTED] --------------------------------------------------------------------
