Different view on RH0: it is good to take out unmaintained networks

Gert Doering gert at space.net
Mon May 14 18:33:30 CEST 2007 

Hi,

On Mon, May 14, 2007 at 07:27:41PM +0300, Pekka Savola wrote:
> >Are you sure that an attack "bounce packets 50 times between two of
> >your routers" wouldn't work?
> 
> So, you mean a scenario where the attacker sends a RH0 packet with a 
> legitimate source address, but the RH address field includes a couple 
> of our routers (those ones that don't have uRPF enabled between them) 
> 50 times, resulting in bouncing back and forth between then?

Exactly.  Which could do quite some hurt, depending on the amount of
bandwidth available to the sender, and the architecture and bandwidth
of the "target" network...

> Yes, uRPF wouldn't stop that, but our loopback ACLs ("receive ACL") 
> prevent the router from being used as an intermediate hop in the 
> router header processing chain by discarding packets with a routing 
> header (or some other extention header, with exceptions).

A-ha.  Now this explains why I couldn't do this in your network :-) - it
works fine in our network, though, which is why we have border ACLs that
drop routing header.  All of them, for now, because we can't drop just
RH0 :((

Is this Cisco, or Juniper?

> As the routers don't need to act as MIPv6 correspondent nodes, mobile 
> nodes or home agents, this is a sufficient workaround until a command 
> to disable IPv6 routing header processing is available.

Indeed.  This should go into "the recommendation document", whoever is
collecting wisdom.  Jeroen...?

Gert Doering
        -- NetMaster
-- 
Total number of prefixes smaller than registry allocations:  113403

SpaceNet AG                        Vorstand: Sebastian v. Bomhard
Joseph-Dollinger-Bogen 14          Aufsichtsratsvors.: A. Grundner-Culemann
D-80807 Muenchen                   HRB: 136055 (AG Muenchen)
Tel: +49 (89) 32356-444            USt-IdNr.: DE813185279
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 305 bytes
Desc: not available
Url : http://lists.cluenet.de/pipermail/ipv6-ops/attachments/20070514/ee7de6a6/attachment.bin

More information about the ipv6-ops mailing list