On 7/6/07, Joe Abley <[EMAIL PROTECTED]> wrote:
On 6-Jul-2007, at 00:31, Christopher Morrow wrote: > I hesitate to get rid or something because of this sole reason, I > think another answer would be to make paying attention to it just > optional for routing gear (or all things, honestly I really only care > about routing gear, and so does this draft). Actually, no -- hosts which conform to the current spec also process RH0. So even if all IPv6 routers had RH0 functionality removed, hosts could still act as bounce points for the purposes of congesting remote paths.
I recognize that a host could still be used as a bounce-point, if the router ignores the header though ... no real amp effect arises, unless you can bounce between hosts across a router link in a meaningful manner. This still is fixable with a simple filter (just like smurf or other sorts of amplification attacks). I should probably also flesh out some of the 'ignore' option, if RH0 exists, pass along the packet unless it's destined to 'me' then decide to honor/ignore the header.
> I'd also take issue, for many of the same reasons stated earlier with: > > "The severity of this threat is considered to be sufficient to warrant > deprecation of RH0 entirely" > > from the draft, I don't think that deprecation is warranted in this > case, if it is than anything that can cause amplification attacks is > likely also in need of deprecation. So, to summarise: your proposal is that RH0 should not be deprecated, but that it should be made optional? I'm not convinced that I understand how that's going to prevent the "amplification over remote paths" problem.
I'm not convinced that the problem is dire enough to warrant completely removing the capability that we don't even have any idea about usage of :( I suppose I see deprecation as a very large hammer, where letting folks decide to not honor the header on their wide-area/internet network seems less damaging, or less drastic atleast.
Note too that several widely-deployed IPv6 stacks have already taken the approach of effectively deprecating RH0. So there's a practical consideration that if we decide to do something different, we are diverging from deployed practice.
which? fbsd? obsd? they took the large hammer approach for some specious set of reasons? What about XP/MacOSX/Vista/Solaris/HP-UX ? I still go back to the 'do we want to use the really big hammer here?' question. I don't see this as being any worse than other amplification vectors and we haven't talked seriously about deprecating any of those, so why this one? -Chris -------------------------------------------------------------------- IETF IPv6 working group mailing list ipv6@ietf.org Administrative Requests: https://www1.ietf.org/mailman/listinfo/ipv6 --------------------------------------------------------------------
