Hi Dmitry, > -----Original Message----- > From: Dmitry Anipko [mailto:[email protected]] > Sent: Friday, March 12, 2010 12:54 PM > To: Templin, Fred L; Gabi Nakibly; v6ops > Cc: [email protected]; [email protected] > Subject: RE: Routing loop attacks using IPv6 tunnels > > Hello, > > I wanted to follow up on Fred's comment earlier in this thread: > > >> OK. That will greatly simplify the checks needed for new > automatic tunneling protocols that have a format other > than ip-proto-41. > > For the designers of new tunneling protocols, shall perhaps a recommendation > on best practices be > included into the draft or another document, that for the new tunnels a > different protocol value / > format should be used?
Are you are referring here to 'draft-nakibly-v6ops-tunnel-loop-01'? If so, IMHO this document would be the natural location for such a recommendation. > Examples of such protocol / formats could include using a different > next-protocol value, potentially > with some multiplexing schema if just using different next-protocol values is > not scalable, or > possibly some other format. Yes, I think it would be very good to declare ip-proto-41 as fully-developed and recommend that new tunneling protocols use a different ip protocol number and/or TCP/UDP port number. This would greatly reduce the concern for having to go back and revisit tunneling implementations that perform src/dst checks if a new tunneling protocol happens to emerge. Gabi - do you have any thoughts on this? Thanks - Fred [email protected] > Thank you, > Dmitry > > -----Original Message----- > From: [email protected] [mailto:[email protected]] On Behalf Of > Templin, Fred L > Sent: Friday, August 28, 2009 1:25 PM > To: Gabi Nakibly; v6ops > Cc: [email protected]; [email protected] > Subject: RE: Routing loop attacks using IPv6 tunnels > > Gabi, > > > -----Original Message----- > > From: Gabi Nakibly [mailto:[email protected]] > > Sent: Friday, August 28, 2009 12:07 PM > > To: Templin, Fred L; v6ops > > Cc: [email protected]; [email protected] > > Subject: Re: Routing loop attacks using IPv6 tunnels > > > > Correct. All the attacks rely on the fact that the ISATAP router > encapsulates/decapsulates a packet > > the 6to4 relay decapsulates/encapsulates, respectively. So the two > tunnels must have the same > > encapsulation type. > > OK. That will greatly simplify the checks needed for new > automatic tunneling protocols that have a format other > than ip-proto-41. > > Fred > [email protected] > > > ----- Original Message ---- > > > From: "Templin, Fred L" <[email protected]> > > > To: Gabi Nakibly <[email protected]>; v6ops <[email protected]> > > > Cc: [email protected]; [email protected] > > > Sent: Friday, August 28, 2009 7:23:03 PM > > > Subject: RE: Routing loop attacks using IPv6 tunnels > > > > > > Gabi, > > > > > > Correct me if I am wrong, but if there were a new version > > > of ISATAP that did not use ip-proto-41 encapsulation but > > > instead used a different kind of encapsulation, then it > > > need not concern itself with routing loop interactions > > > with 6to4 relays since 6to4 relays only know about > > > ip-proto-41. Does that match your understanding? > > > > > > Thanks - Fred > > > [email protected] > > > > > > > > > -------------------------------------------------------------------- > IETF IPv6 working group mailing list > [email protected] > Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6 > -------------------------------------------------------------------- -------------------------------------------------------------------- IETF IPv6 working group mailing list [email protected] Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6 --------------------------------------------------------------------
