On Thu, May 10, 2007 at 05:49:14PM +0300, Pekka Savola wrote:
> On Thu, 10 May 2007, Jeroen Massar wrote:
> >As such, when you are a transit provider, and you have on the edges of
> >your network some vulnerable hosts, those hosts can be used to apply
> >this attack to your network.
> >The documentation should thus specify that, where possible, RH0 should
> >be filtered at customer borders.
>
> Well, IMHO that's a bit unnecessary.
I think this worse than unnecessary - it is probably harmful. If
filtering is recommended then some proportion of people will filter
all routing headers and use this recommendation as a justification
for it. Then we'll be backed into a corner where we can't replace
RH0 with something safe and we we also break the mobility stuff.
> If you see packet ping-pong on the Internet, it's an indication that
> ingress and egress filters haven't been adequately set up. Adding
> those will stop your network's bandwidth being wasted.
> Maybe this RH0 vulnerability will turn out for the good after all if
> it means better BCP38/84 deployment :-)
Indeed - ISPs would be much better implementing BCP38/84.
David.
--------------------------------------------------------------------
IETF IPv6 working group mailing list
[email protected]
Administrative Requests: https://www1.ietf.org/mailman/listinfo/ipv6
--------------------------------------------------------------------
