On Wed, 30 May 2007, Jun-ichiro itojun Hagino 2.0 wrote:
i'm writing it with an assumption that nodes would perform ingress filtering against packets with source-routing header properly - yup, they CANNOT perform ingress filtering due to the existence and the nature of the source-routing. it is natural for source-routed packets to have its source address which seems strange for normal ingress filtering. if nodes were to filter out source-routed packets based on ingress filtering, those implementations are mistaken!
If I understand you correctly, you're either 1) assuming that ingress filtering implementations would treat packets with a source routing/rtheader differently, e.g., to allow all such packets regardless of the source, or 2) arguing that the behaviour of an "source-routing friendly" ingress filter should be to allow source routing even with topologically incorrect source addresses.
I don't believe I've seen any implementation of uRPF or similar filtering method that would do 1).
While the merits of 2) could be argued, I believe this is not the right list to discuss how ingress filters could/should be more source-routing friendly.
In either case, I believe currently deployed ingress filters will practically block bouncing attacks with rh0 or ipv4 source routing.
-- Pekka Savola "You each name yourselves king, yet the Netcore Oy kingdom bleeds." Systems. Networks. Security. -- George R.R. Martin: A Clash of Kings -------------------------------------------------------------------- IETF IPv6 working group mailing list ipv6@ietf.org Administrative Requests: https://www1.ietf.org/mailman/listinfo/ipv6 --------------------------------------------------------------------