On Tue, 31 May 2011, Philip Homburg wrote:
I hope there is a recommendation in the standard to have a knob to turn
this off? With security functions like forced-forwarding and alike, I'd
definitely not want the hosts to try to communicate directly between each
other.
A prefix only becomes on-link if there is a prefix option that says so.
Hm, I might not understand what you mean by "prefix option" here, if an
ICMP-redirect all of a sudden can make a /128 be on-link even though it's
not in my routing table.
I was not implying that hosts would that without a router announcing the
prefix as on-link. I just wanted to make clear that IPv6 *supports*
direct communication between hosts that use addresses from different
prefixes.
Absolutely, but if there is another way than to announce the on-link
prefix than might make hosts communicate directly to each other on a
subnet, that's news to me and I find this extremely interesting from a
security standpoint.
For me, if I have:
R1 X::1/64
H2 X::2/128
H3 X::3/128
R1 doesn't announce any on-link prefix, so H2 and H3 use R1 to communicate
between each other (they just have their own /128 in their routing table
and default route pointing to R1 LL address learnt via RA).
Now, what I interpreted you saying is that R1 can tell H2 that H3 is
on-link by means of an ICMP redirect. This has security (and functional)
implications in that any L2 network they might have that disallows H2 and
H3 to communicate between each other even though they're in the same vlan,
will make this completely stop working if R1 doesn't have a knob to
disallow it from sending redirects that might indicate that H2 and H3 is
on the same L2 domain (on-link).
--
Mikael Abrahamsson email: swm...@swm.pp.se
--------------------------------------------------------------------
IETF IPv6 working group mailing list
ipv6@ietf.org
Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6
--------------------------------------------------------------------
