Re: Fragmentation-related security issues

Fri, 06 Jan 2012 13:06:53 -0800 

On 2012-01-07 09:57, Brian Haberman wrote:
> Fred,
> 
> On 1/6/12 3:52 PM, Templin, Fred L wrote:
>> Hi Brian, 
>>
>>> -----Original Message-----
>>> From: Brian E Carpenter [mailto:brian.e.carpen...@gmail.com] 
>>> Sent: Friday, January 06, 2012 12:27 PM
>>> To: Templin, Fred L
>>> Cc: Havard Eidnes; fg...@si6networks.com; ipv6@ietf.org
>>> Subject: Re: Fragmentation-related security issues
>>>
>>> On 2012-01-07 06:07, Templin, Fred L wrote:
>>>>  
>>>>
>>>>> -----Original Message-----
>>>>> From: Havard Eidnes [mailto:h...@uninett.no] 
>>>>> Sent: Friday, January 06, 2012 12:28 AM
>>>>> To: Templin, Fred L
>>>>> Cc: fg...@si6networks.com; brian.e.carpen...@gmail.com; 
>>> ipv6@ietf.org
>>>>> Subject: Re: Fragmentation-related security issues
>>>>>
>>>>>>> The problem with RFC4821 (assumming the ICMP-free variant) is
>>>>>>> that it has a longer convergnece time that ICMP-enabled PMTU.
>>>>>> RFC4821 works even if there are no ICMPs, but will
>>>>>> converge more quickly if there are ICMPs. That is why
>>>>>> RFC4821 should be a SHOULD for hosts, and generation
>>>>>> of ICMPs should be a MUST for routers.
>>>>> Does not this also imply that ICMP-generating routers MUST use a
>>>>> globally unique IPv6 address as the source of the ICMP?
>>>> AFAICT, the normative reference is RFC4443, as cited
>>>> in RFC6434.
>>> As I think we noticed recently in some other thread, there is
>>> therefore an operational requirement that all routers must
>>> possess at least one GUA. As far as I know, some routers can work
>>> just fine for all other purposes with only link-local addresses.
>> So - can't the router just autoconfigure a ULA and use
>> it as the SA for ICMPs?
> 
> The ULA will have no meaning for ICMP messages that leave the
> administrative domain.

That doesn't matter, to avoid the issue covered in the long thread
"Routers forwarding packet with link local source" on v6ops last
month.

    Brian C
--------------------------------------------------------------------
IETF IPv6 working group mailing list
ipv6@ietf.org
Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6
--------------------------------------------------------------------

Reply via email to