On Wed, 30 May 2007, Jun-ichiro itojun Hagino 2.0 wrote:
i'm writing it with an assumption that nodes would perform ingress
filtering against packets with source-routing header properly - yup,
they CANNOT perform ingress filtering due to the existence and the
nature of the source-routing. it is natural for source-routed packets
to have its source address which seems strange for normal ingress
filtering. if nodes were to filter out source-routed packets based
on ingress filtering, those implementations are mistaken!
If I understand you correctly, you're either 1) assuming that ingress
filtering implementations would treat packets with a source
routing/rtheader differently, e.g., to allow all such packets
regardless of the source, or 2) arguing that the behaviour of an
"source-routing friendly" ingress filter should be to allow source
routing even with topologically incorrect source addresses.
I don't believe I've seen any implementation of uRPF or similar
filtering method that would do 1).
While the merits of 2) could be argued, I believe this is not the
right list to discuss how ingress filters could/should be more
source-routing friendly.
In either case, I believe currently deployed ingress filters will
practically block bouncing attacks with rh0 or ipv4 source routing.
--
Pekka Savola "You each name yourselves king, yet the
Netcore Oy kingdom bleeds."
Systems. Networks. Security. -- George R.R. Martin: A Clash of Kings
--------------------------------------------------------------------
IETF IPv6 working group mailing list
ipv6@ietf.org
Administrative Requests: https://www1.ietf.org/mailman/listinfo/ipv6
--------------------------------------------------------------------
