> Just in case folks are missing out on this, find below a rather nasty > security issue. >
I cannot say that this is a big surprise, even if the specific attack is news to me and it has a major impact. Some issues with Type 0 have been known for years; I think draft-savola-ipv6-rh-ha was the first to report these. RFC 4294 warns of the issues and RFC 3775 design was based on the idea of avoiding Type 0 because it was felt that at some point Type 0 would likely be filtered due to its problems. Also, draft-ietf-v6ops-security-overview was recently approved. It notes, among other things that "it may be desirable to forbid or limit the processing of Type 0 Routing Headers in hosts and some routers." So I think we should take that advice and modify the stacks that do not do the right thing today. A good first approximation is to add a configuration knob for processing Type 0 headers in both hosts and routers, with default set to off. Better firewall support for doing this would also be needed (without disabling use of Type 2, of course). But we at the IETF also need to draw a conclusion about the state of Type 0. This feature needs to be retired. Jari -------------------------------------------------------------------- IETF IPv6 working group mailing list [email protected] Administrative Requests: https://www1.ietf.org/mailman/listinfo/ipv6 --------------------------------------------------------------------
