> Erik, Sorry for not responding sooner - the email didn't have me on the to or cc lists.
> My point was that even though firewall would not know, if we have > enforcement of the "host-check" rule [cf. Pekka's mail for its decoding], > in all nodes _receiving_ the routing header, this would be a distributed way > of enforcing the conditions we discuss. Yes, if you make all hosts and routers inside the firewall have that check you'd be fine. Two issues: 1. the firewall might not want to trust all the internal hosts and routers to be correctly configured with such a rule. 2. I think this would prevent using routing headers for their general use for traffic that is local to the domain inside the firewall. So it seems like if these should be the default rule for all hosts and routers we've effectively redefined the type 0 routing header to be only useful for MIPv6. And if it isn't the default then issue #1 is definitely present. Sounds like if there are strong arguments for this level of security it would be politer to define a new header than cripple the general usability of the routing header. > In the distributed approach I was describing, we would need the > "host rule" to be something to enable or disable in forwarding source > routers, too. In case source routing would be disabled for the domain, > they too would disable this. We're in agreement on this one. > > As Pekka's draft points out this could lack of distinction could > > be addressed by defining a new type of routing header which is > > limited to "forwarding" on the same node. > > True. This is another way, which is a "cheaper" way than a totally > new extension header to have the control localized to the firewall. For what notion of "cost" do you come to that conclusion? To me the cost/benefit tradeoff between a new routing header type and e.g. Deering/Zill tunneling headers isn't obvious. > So to get more clarity, is the localization (to the firewall) of > controlling the use of routing header something that you find necessary? I honestly don't know. Pekka brought up the issue - perhaps he can comment? The background for this was that allowing generic use of routing headers is dangerous and is something that firewalls might block. But I don't fully understand the severity of allowing general use of routing headers - it does allow a DoS attacker to hide a bit since it could be present at any previous hop in the routing header. > If so, would the use of "type 1" routing header in MIPv6 draft address > the issue? Yes, but is this conceptually simpler than Deering/Zill tunneling? Easier to implement? They seem to be about equivalent in these respects as far as I understand today. Erik -------------------------------------------------------------------- IETF IPng Working Group Mailing List IPng Home Page: http://playground.sun.com/ipng FTP archive: ftp://playground.sun.com/pub/ipng Direct all administrative requests to [EMAIL PROTECTED] --------------------------------------------------------------------
