Pekka I've read your draft and here is the list of comments regarding the Routing Header. In my comments I am making an assumption that hosts do not forward packets off the node.
---- Section 2.1 ---- With the above assumption, the webserver will not forward the packet to host2 (unless of course you configure webserver as a router). The webserver will the receive the packet described in the draft and do processing according to 2460. When processing the routing header, it will follow the 2460 rules by swapping the addresses and attempting to forward using let's say ip6_forward() method. Since this is a host, it should not be forwarding off the node (assumption above). Since the route to 'host2' points off the node, the packet is dropped (and I think the ICMP error is returned, not sure on this point). --------------------- ---- Section 2.2 ----- The description for Section 2.1 applies here as well. Unless the 'reflector' is a router (that's not doing ingress filtering), the packet will be dropped at the reflector and the attack will fail. I do not know how iTrace works so can't comment on Section 2.3 As you can see, if we restrict the hosts to not forward packets off the node ( I think this is already done... indirectly), then the routing headers do not really cause big problems. As for your message with people creating routes to loopback, there is nothing you can do if people insist of shooting themselves in the foot. :) -vlad > But please, if you have specific arguments, have a look at my draft. > > -- > Pekka Savola "Tell me of difficulties surmounted, > Netcore Oy not those you stumble over and fall" > Systems. Networks. Security. -- Robert Jordan: A Crown of Swords -------------------------------------------------------------------- IETF IPng Working Group Mailing List IPng Home Page: http://playground.sun.com/ipng FTP archive: ftp://playground.sun.com/pub/ipng Direct all administrative requests to [EMAIL PROTECTED] --------------------------------------------------------------------
