Hello,
Elena Vengerova <[EMAIL PROTECTED]>, in an email exchange, brought up some
need for clarifications wrt. scoped addresses and routing header.
This made me look deeper in to the scoping arch document.
A few comments:
9. Forwarding
[...]
o After the next-hop interface is chosen, the zone of the
source address is considered. As with the destination
address, the zone of the source address is determined by
the scope of the address and arrival interface of the
packet. If transmitting the packet on the chosen next-hop
interface would cause the packet to leave the zone of the
source address, i.e., cross a zone boundary of the scope
of the source address, then the packet is discarded and an
ICMP Destination Unreachable message [RFC 2463] with Code
2 ("beyond scope of source address") is sent to the source
of the packet.
==> Note the wording about crossing zone boundary w/ source address.
[...]
A node that receives a packet addressed to itself and containing a
Routing Header with more than zero Segments Left [RFC 2460, section
4.4] swaps the original destination address with the next address in
the Routing Header. Then the above forwarding rules are applied,
using the new destination address where the zone of the new
destination address should be determined by the scope of the previous
destination address and the interface to which the previous address
belongs (which is not necessarily equal to the incoming interface).
An implementation MUST NOT examine additional addresses in the
Routing header to determine whether they are crossing boundaries for
their scopes. Thus, it is possible, though generally inadvisable, to
use a Routing Header to convey a non-global address across its
associated zone boundary.
==> Wow, a 5-line sentence :-). Anyway, my imagination is failing here
what kind of non-global addresses can be placed in the routing header?
There may be a conflict with the previous comment there.
E.g are you able to send a packet like:
src=global1
dst=globalA
routing header=site_localA, segments left=1
which would be translated at globalA to:
src=global1
dst=site_localA
routing header=globalA, segments left=0 ?
I think we need to have a much much more clearer view of what is possible
and what is not when crossing zone boundaries with routing headers.
14. Security Considerations
The routing section of this document specifies a set of guidelines
that allow routers to prevent zone-specific information from leaking
out of each site. If site boundary routers allow site routing
information to be forwarded outside of the site, the integrity of the
site could be compromised.
==> Security considerations should mention potential problems of crossing
zone boundaries w/ routing headers.
--
Pekka Savola "Tell me of difficulties surmounted,
Netcore Oy not those you stumble over and fall"
Systems. Networks. Security. -- Robert Jordan: A Crown of Swords
--------------------------------------------------------------------
IETF IPng Working Group Mailing List
IPng Home Page: http://playground.sun.com/ipng
FTP archive: ftp://playground.sun.com/pub/ipng
Direct all administrative requests to [EMAIL PROTECTED]
--------------------------------------------------------------------
