Tony Hain wrote: > > Pekka Savola wrote: > > Undeniably, you can input packets with: > > > > - link-local source (here: ff80::1) > > - link-local destination (here: ff80::2) > > - hop limit 255 > > > > in the tunnel interface. > > Not if the tunnel interface consistency check is applied to prevent it. > If you don't want to accpet link-local packets over the tunnel you are > not required to.
I'd say that was a wise precaution in a 6to4 decapsulator; I can't see any legitimate reason to accept a link-local destination address from a 6to4 relay. (There's a legitimate use of link-local source addresses in the 6to4 multicast case, but only for MLD reports, and I think we could require hop limit = 1 in that case if we wanted.) Brian > Accepting packets through a filter needs to be done for > each of the interfaces. If you are willing to accept packets from any > IPv4 source, but not any IPv6 source, then you have to recheck the > packet once it is decapsulated. > > > Now, if the router has 'ff80::2' configured as one of it's > > pseudo-interface addresses, that address can be reached via tunneling > with > > hop limit 255 from anywhere. > > > > See the potential problem here? > > Yes, the node is reachable using IPv4 from anywhere, and you are trying > to make believe that adding IPv6 is somehow a bigger problem. What is > the point? If packets can get there via IPv4, the fact that some of them > may be encapsulated IPv6 makes no difference. If a node has a policy > that packets over the global IPv4 interface go through some firewall > process, then the same policy MUST apply to the tunnel interface. If it > doesn't the site administrator is brain-dead and deserves what he gets. > If your complaint is that a site administrator can't apply grainular > policy to a link-local address over a tunnel, you are right and they > simply need to block all FE80 addresses on that interface. -- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Brian E Carpenter Distinguished Engineer, Internet Standards & Technology, IBM On assignment at the IBM Zurich Laboratory, Switzerland Board Chairman, Internet Society http://www.isoc.org -------------------------------------------------------------------- IETF IPng Working Group Mailing List IPng Home Page: http://playground.sun.com/ipng FTP archive: ftp://playground.sun.com/pub/ipng Direct all administrative requests to [EMAIL PROTECTED] --------------------------------------------------------------------
