> > i'm writing it with an assumption that nodes would perform ingress
> > filtering against packets with source-routing header properly - yup,
> > they CANNOT perform ingress filtering due to the existence and the
> > nature of the source-routing. it is natural for source-routed packets
> > to have its source address which seems strange for normal ingress
> > filtering. if nodes were to filter out source-routed packets based
> > on ingress filtering, those implementations are mistaken!
>
> If I understand you correctly, you're either 1) assuming that ingress
> filtering implementations would treat packets with a source
> routing/rtheader differently, e.g., to allow all such packets
> regardless of the source, or 2) arguing that the behaviour of an
> "source-routing friendly" ingress filter should be to allow source
> routing even with topologically incorrect source addresses.
i guess i'm saying (2).
> I don't believe I've seen any implementation of uRPF or similar
> filtering method that would do 1).
>
> While the merits of 2) could be argued, I believe this is not the
> right list to discuss how ingress filters could/should be more
> source-routing friendly.
>
> In either case, I believe currently deployed ingress filters will
> practically block bouncing attacks with rh0 or ipv4 source routing.
then, rthdr7 would need to rewrite source address on IPv6 header every
intermediate hop, and use mobile-ip6 home address option for the real
source address. scary...
i would not hold my breath for rthdr7. ops guys, too bad...
itojun
--------------------------------------------------------------------
IETF IPv6 working group mailing list
[email protected]
Administrative Requests: https://www1.ietf.org/mailman/listinfo/ipv6
--------------------------------------------------------------------
