Re: Directed broadcast in IPv6

Thu, 13 Dec 2001 02:40:05 -0800 

    Date:        Thu, 13 Dec 2001 11:23:32 +0200 (EET)
    From:        Pekka Savola <[EMAIL PROTECTED]>
    Message-ID:  <[EMAIL PROTECTED]>

  | If Attacker A pings 2002:0102:0304::1 it works no problems.  If attacker 
  | pings 3ffe:ffff:1::1, there is no reply as the network is not reachable to 
  | the Internet on purpose.

Unless it is carefully filtered, it is reachable, just harder.  Relying
on failing to advertise routes as an alternative to filtering is folly.

  | Target node T decapsulated the IPv4 packet and delivers the IPv6 packet to 
  | 3ffe:ffff:1::1 without complaints.

If the address is supposed to be filtered, the filters need to apply
to decapsulated packets just as much as regular ones.   If you set up
(or permit) a tunnel to by-pass firewalls, you get exactly what you should
get (in many cases, that is sensible service...)

  | A problem is that one does not know how tunneling is implemented.  If one 
  | receives a packet from a tunnel, does one apply all the same checks one 
  | would if the packet had come from the wire?

One certainly should.   A tunnel interface is just an interface, the
same as any other - except that by having it (and having it available)
you know that you're admitting packets that other firewalls might not
have noticed, thus you need to use extra care with filtering.

  | There are
  | other issues, like being able to inject IPv6 packets with hop limit = 255
  | from anywhere in the Internet.

Huh?  if you're forwarding a packet that has been decapsulated from a
tunnel, you certainly better be decrementing the TTL first (even if you're
just forwarding it to a local - internal - interface).  The tunnel
is just a link like any other.  You wouldn't be forwarding a packet from
ethernet to somewhere else without decrementing its TTL, nor should you
from a tunnel.

kre


--------------------------------------------------------------------
IETF IPng Working Group Mailing List
IPng Home Page:                      http://playground.sun.com/ipng
FTP archive:                      ftp://playground.sun.com/pub/ipng
Direct all administrative requests to [EMAIL PROTECTED]
--------------------------------------------------------------------

Reply via email to