On Fri, 14 Dec 2001, Vladislav Yasevich wrote: > I've read your draft and here is the list of comments regarding the > Routing Header. In my comments I am making an assumption that hosts > do not forward packets off the node.
My draft makes the opposite assumption, as that is how I perceive most implementations do (Linux, KAME, probably Windows as they use round-trip traceroute, etc.), as seems to be expected by RFC2460. Your points are valid when you make the above assumption. Nonetheless, discussion in 2.5.1. and security considerations apply. IMO, "same-node" does not seem to be a strict enough requirement, if one assumes this kind of routing header processing would have to be enabled on *every* host. > ---- Section 2.1 ---- > > [...] > to forward using let's say ip6_forward() method. Since this is a > host, it should not be forwarding off the node (assumption above). > Since the route to 'host2' points off the node, the packet is dropped > (and I think the ICMP error is returned, not sure on this point). As far as I can see, no ICMP error is returned; I don't see where it would be specified, and quick tests don't show that either. > As you can see, if we restrict the hosts to not forward packets off > the node ( I think this is already done... indirectly), then the > routing headers do not really cause big problems. Where is this done indirectly? As a matter of fact, until very recently, one implementation specifically allowed routing headers even when the general forwarding was disabled .. because that is what impression RFC2460 gives. > As for your message with people creating routes to loopback, there is > nothing you can do if people insist of shooting themselves in the > foot. :) Remember, it's _attackers_ who are not doing this -- not administrator shooting themselves in the foot. Addrarch requires that these packets to loopback, site/linklocal are dropped at input. However, I'm curious whether all implementations process the packets received through this mechanism via the same input functions as regular packets would have been -- that is, has someone created "shortcuts" here.. -- Pekka Savola "Tell me of difficulties surmounted, Netcore Oy not those you stumble over and fall" Systems. Networks. Security. -- Robert Jordan: A Crown of Swords -------------------------------------------------------------------- IETF IPng Working Group Mailing List IPng Home Page: http://playground.sun.com/ipng FTP archive: ftp://playground.sun.com/pub/ipng Direct all administrative requests to [EMAIL PROTECTED] --------------------------------------------------------------------
