Hi Bob/all, I advocate for option #1. IMO, the paper found by following the link below makes a good case against the use of IPv6 Routing Header Type 0:
http://www.secdev.org/conf/IPv6_RH_security-csw07.pdf. The following I-D (perhaps among others) also succinctly delineates the potential security problems with its use: draft-savola-ipv6-rh-ha-security-03.txt. Whether it's the potential to reach a hidden host via a visible one, the ability to use reflection to launch a DoS attack, or other security issues as noted both on this list and the above referenced papers (and others), deprecation of Routing Header Type 0 (aka option #1) is best. The implicit curriculum of #2 and #3 really seems to be that RH0 processing can be enabled. Also, to me it seems that #4 just gives us slightly less of a bad thing. Even workarounds such as ingress filtering with properly configured ACLs could also technically be used by an attacker. I would also prefer that RH0 be silently dropped but could live with an ICMPv6 error message being sent back to the sending host (error messages are rate-limited). Not processing but forwarding RH0 does not seem to make sense. Best Regards, Timothy Enos Rom 8:28 >From: Bob Hinden <[EMAIL PROTECTED]> >Date: 2007/04/25 Wed PM 07:39:40 CDT >To: IETF IPv6 Mailing List <[email protected]> >Subject: Question for IPv6 w.g. on [Re: IPv6 Type 0 Routing Header issues] >[trimming this to just the IPv6 w.g.] > >We think the question for the IPv6 working group on this topic is >does the working group want to do anything to address the issues >raised about the Type 0 routing header. Possible actions include: > > 1) Deprecate all usage of RH0 > 2) Recommend that RH0 support be off by default in hosts and routers > 3) Recommend that RH0 support be off by default in hosts > 4) Limit it's usage to one RH0 per IPv6 packet and limit the number >of addresses in one RH0. > >These examples are not all mutually exclusive. > >Please respond to the list with your preference and justifications. > >Thanks, >Bob Hinden / Brian Haberman >IPv6 W.G. Chairs > >p.s. We will send a note to the other lists that the IPv6 w.g. will >be discussing this issue. > >-------------------------------------------------------------------- >IETF IPv6 working group mailing list >[email protected] >Administrative Requests: https://www1.ietf.org/mailman/listinfo/ipv6 >-------------------------------------------------------------------- -------------------------------------------------------------------- IETF IPv6 working group mailing list [email protected] Administrative Requests: https://www1.ietf.org/mailman/listinfo/ipv6 --------------------------------------------------------------------
