FW: Filtering ULA?
david.freedman at uk.clara.net
Mon Sep 22 22:30:26 CEST 2008
--> going slightly OT here so please excuse...
Well, this means extra annoyance for me because I use loose uRPF
at the edge (so I can drop RFC1918 sourced traffic), none
of my hardware supports any bypass acls (GSR Engine >2)
so I either have to turn it off and revert to plain old
ACLs (and lose my ability to do source based blackholing)
or leave it on and not worry about the edge case people
sending ICMP from unrouted address space.
Its about time ICMP had an overhaul, this is silly,
what would happen If I sent TOOBIG messages from random sources
at the same time as a TCP handshake to people, could I
cause them to reduce their MSS to the point where the connection
performed badly? What happened if I did this in the reverse direction
i.e to a popular content site which used PMTUd to all its clients ?
Could I cause it to perform badly to everybody?
And what about unreachable messages? no checking on those
, I understand some TCP stacks on seeing these will drop
the connection (to prevent hanging) and return EHOSTUNREACH/ENETUNREACH to the app,
what happens if I spray these about referencing sources such as popular sites,
will these stacks drop their connections (if only during handshake?)
According to RFC1122:
A Destination Unreachable message that is received MUST be
reported to the transport layer. The transport layer SHOULD
use the information appropriately; for example, see Sections
188.8.131.52, 184.108.40.206, and 4.2.4 below. A transport protocol
that has its own mechanism for notifying the sender that a
port is unreachable (e.g., TCP, which sends RST segments)
MUST nevertheless accept an ICMP Port Unreachable for the
So its great securing TCP using sequence numbers, but the statelessness
of ICMP makes for an attack vector, no?
Group Network Engineering
From: Pekka Savola [mailto:pekkas at netcore.fi]
Sent: Mon 9/22/2008 21:00
To: Iljitsch van Beijnum
Cc: David Freedman; ipv6-ops at lists.cluenet.de
Subject: Re: Filtering ULA?
On Mon, 22 Sep 2008, Iljitsch van Beijnum wrote:
> As for the packets: what if someone generates an ICMP too big message with a
> ULA source address? That could happen. It would be really bad if people
> filtered out those packets because that creates PMTUD black holes.
Sometimes folks (usually from a network X using RFC1918 space
internally) start complaining about network Y breaking PMTUD because
they filter RFC1918 or some other bogus addresses on the border. As
if network X had some $DEITY given right to break connectivity by
exposing RFC1918 addresses to the outside and expecting the others
to special-case around their brokenness.
If it isn't routed, it's bogus and should be dropped. If you expose
unroutable address space to outside, don't make it others' fault if it
The same applies to ULA space IMHO. (And that's what the spec says as
Pekka Savola "You each name yourselves king, yet the
Netcore Oy kingdom bleeds."
Systems. Networks. Security. -- George R.R. Martin: A Clash of Kings
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the ipv6-ops