On Tue, 10 Nov 2009, Fred Baker wrote:
The simplest solution to (3), if my machine is in an administrative domain facing an ISP, is to have my DMZ router perform the BCP 38 filter before the datagram reaches the ISP, and in the failure case reply with some form of ICMP message that says "routing took your datagram to an egress into the ISP with prefix <mumble>; select an address in prefix <mumble>". That will give the host the opportunity to select the correct address to traddle ingress filtering reliably.
Just as a comment: the router might not know why it's doing BCP 38 filtering and what the right prefix is. So it's more general and easier to just say "you're using a wrong source address, try something else" (e.g., if a packet is coming from a source address that's "directly connected" or otherwise do a silent discard.
-- Pekka Savola "You each name yourselves king, yet the Netcore Oy kingdom bleeds." Systems. Networks. Security. -- George R.R. Martin: A Clash of Kings -------------------------------------------------------------------- IETF IPv6 working group mailing list ipv6@ietf.org Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6 --------------------------------------------------------------------
