Different view on RH0: it is good to take out unmaintained networks
Jeroen Massar
jeroen at unfix.org
Mon May 14 12:26:35 CEST 2007
Hi,
A little mail for a nice Monday morning discussion/flamebait:
I became to realize that RH0 filtering is at all not really necessary.
Networks who have uRPF enabled, they check the source of the packet and
as such the packet pingpong doesn't work, yes the packet arrives, but
when the packet has to be sent out onto the network again, it gets
caught by the uRPF filter.
Networks who do not have uRPF enabled and thus are not properly checking
where a packet is actually being sourced from are open to the RH0 attack.
As such, any network which does not have uRPF enabled is vulnerable to
some nice RH0 packet ping ponging.
Now, what we should hope is that people actually do NOT filter out RH0
and then send out a lot of packets with RH0 headers ping ponging
throughout the Internet. This will take care that the networks who are
not properly applying uRPF will in effect nicely melt down.
Maybe that brings to their attention that doing uRPF is actually a good
thing as is being specified in BCP38 (BCP stands for Best Common
Practices, but clearly a lot of networks don't take it in common).
Greets,
Jeroen
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 311 bytes
Desc: OpenPGP digital signature
URL: <https://lists.cluenet.de/pipermail/ipv6-ops/attachments/20070514/7636fbe2/attachment-0001.sig>
-------------- next part --------------
--------------------------------------------------------------------
IETF IPv6 working group mailing list
ipv6 at ietf.org
Administrative Requests: https://www1.ietf.org/mailman/listinfo/ipv6
--------------------------------------------------------------------
More information about the ipv6-ops
mailing list