Different view on RH0: it is good to take out unmaintained networks

Gert Doering gert at space.net
Mon May 14 14:44:48 CEST 2007


Hi,

On Mon, May 14, 2007 at 11:26:35AM +0100, Jeroen Massar wrote:
> Networks who have uRPF enabled, they check the source of the packet and
> as such the packet pingpong doesn't work, yes the packet arrives, but
> when the packet has to be sent out onto the network again, it gets
> caught by the uRPF filter.
> 
> Networks who do not have uRPF enabled and thus are not properly checking
> where a packet is actually being sourced from are open to the RH0 attack.

Usually, in "normal" ISP networks, you cannot do strict uRPF on backbone 
links (because there is unavoidable asymmetry), and loose uRPF won't
help you (because there *are* routes for this host).

So the attack "send in a 2Mbit stream of packets that will bounce 50
times between two core routers" is still possible, eating backbone
bandwidth and router CPU.


The attack "send in a 2Mbit stream that will bounce between a customer
device and <somewhere else>" will be caught by strict uRPF at the customer
edge (which is a good thing to do).


So what we need, at minimum, is

  - a way to turn off RH0 processing in routers (*all* OS variants)

  - working uRPF on the edge

Gert Doering
        -- NetMaster
-- 
Total number of prefixes smaller than registry allocations:  113403

SpaceNet AG                        Vorstand: Sebastian v. Bomhard
Joseph-Dollinger-Bogen 14          Aufsichtsratsvors.: A. Grundner-Culemann
D-80807 Muenchen                   HRB: 136055 (AG Muenchen)
Tel: +49 (89) 32356-444            USt-IdNr.: DE813185279


More information about the ipv6-ops mailing list