Pekka
RFC 2460 states the following:
> router - a node that forwards IPv6 packets not explicitly
> addressed to itself. [See Note below].
and the conseptual sending algorithm is this:
> else {
> swap the IPv6 Destination Address and Address[i]
>
> if the IPv6 Hop Limit is less than or equal to 1 {
> send an ICMP Time Exceeded -- Hop Limit Exceeded in
> Transit message to the Source Address and discard the
> packet
> }
> else {
> decrement the Hop Limit by 1
>
> resubmit the packet to the IPv6 module for transmission
> to the new destination
> }
One could argue that after the source routed packet is processed and
resubmitted for
transmision, it's is no longer addressed to the node processing it (the
source is the original source and the destination is the next hop).
Thus, the node in effect is
forwarding this packet. "Forwarding" is a function of router thus, in
my mind the
node has to be configured as router and has to obey all the router
rules.
Pekka Savola wrote:
>
> Nonetheless, discussion in 2.5.1. and security considerations apply.
> IMO, "same-node" does not seem to be a strict enough requirement, if one
> assumes this kind of routing header processing would have to be enabled on
> *every* host.
I beleave that's what 2460 assumes.
>
> > As for your message with people creating routes to loopback, there is
> > nothing you can do if people insist of shooting themselves in the
> > foot. :)
>
> Remember, it's _attackers_ who are not doing this -- not administrator
> shooting themselves in the foot.
>
> Addrarch requires that these packets to loopback, site/linklocal are
> dropped at input. However, I'm curious whether all implementations
> process the packets received through this mechanism via the same input
> functions as regular packets would have been -- that is, has someone
> created "shortcuts" here..
This would be a bug in the implementation and the implementation needs
to be
fixed. It doesn't make sence to impose restriction on a well behaving
implementation.
-vlad
>
> --
> Pekka Savola "Tell me of difficulties surmounted,
> Netcore Oy not those you stumble over and fall"
> Systems. Networks. Security. -- Robert Jordan: A Crown of Swords
--------------------------------------------------------------------
IETF IPng Working Group Mailing List
IPng Home Page: http://playground.sun.com/ipng
FTP archive: ftp://playground.sun.com/pub/ipng
Direct all administrative requests to [EMAIL PROTECTED]
--------------------------------------------------------------------
