On 13-Jun-2007, at 10:42, Thomas Narten wrote:
Firewall policy intended to protect against packets containing
RH0
must be constructed such that routing headers of other types
are not filtered by default. Doing so will break other uses of
the routing headers such as the Routing Header Type 2 used by
Mobile IPv6 [RFC3775] and future
functionality designed using other routing header types.
Could be even stronger. How about:
It must be understood that blocking all traffic with any RH
(rather than restricting blockage only to type 0) has very
serious implications for the deployment of future
technology. Quite simply, if even a small percentage of deployed
firewalls block other types of routing headers by default, it
will become impossible to deploy technologies using a routing
header. MIPv6 [RFCxxx] relies on a type 2 RH. If even a small
fraction of firewalls block MIPv6 traffic, MIPv6 will become
undeployable in practice.
Consequently, firewall policy intended to protect against packets
containing RH0 MUST NOT simply filter all traffic with a routing
header; it must be possible to disable forwarding of type 0
traffic without blocking other types of routing headers. In
addition, the default configuration MUST be to permit forwarding
of traffic using a RH other than 0.
I'm slightly concerned that such advice flies in the face of
conventional advice given to those constructing firewall policy. It
is normal practice, I believe, for end-site firewall policy to be
deployed based on denying everything by default, and only permitting
those packets which are known to correspond to traffic which ought to
be permitted. I believe it is generally considered to be good advice
to block all "future technology" by default, and to permit it only
once the implications of doing so are well-known.
Outside end-sites, in the core, dropping packets based on the
presence of any type of routing header is clearly a bad idea.
If we want the advice in this section to be taken seriously, do we
need to distinguish between firewall policy in end-sites and packet
filters that might be added to core/ISP networks as a mitigation of
the specific problems associated with RH0?
Joe
--------------------------------------------------------------------
IETF IPv6 working group mailing list
ipv6@ietf.org
Administrative Requests: https://www1.ietf.org/mailman/listinfo/ipv6
--------------------------------------------------------------------