FW: Filtering ULA?

David Freedman david.freedman at uk.clara.net
Mon Sep 22 22:30:26 CEST 2008 

--> going slightly OT here so please excuse...
 
Well, this means extra annoyance for me because I use loose uRPF 
at the edge (so I can drop RFC1918 sourced traffic), none 
of my hardware supports any bypass acls (GSR Engine >2) 
so I either have to turn it off and revert to plain old
ACLs (and lose my ability to do source based blackholing)
or leave it on and not worry about the edge case people
sending ICMP from unrouted address space.

Its about time ICMP had an overhaul, this is silly, 
what would happen If I sent TOOBIG messages from random sources
at the same time as a TCP handshake to people, could I 
cause them to reduce their MSS to the point where the connection
performed badly? What happened if I did this in the reverse direction
i.e to a popular content site which used PMTUd to all its clients ?
Could I cause it to perform badly to everybody? 

And what about unreachable messages? no checking on those
, I understand some TCP stacks on seeing these will drop 
the connection (to prevent hanging) and return EHOSTUNREACH/ENETUNREACH to the app,
what happens if I spray these about referencing  sources such as popular sites, 
will these stacks drop their connections (if only during handshake?)

According to RFC1122:

            A Destination Unreachable message that is received MUST be
            reported to the transport layer.  The transport layer SHOULD
            use the information appropriately; for example, see Sections
            4.1.3.3, 4.2.3.9, and 4.2.4 below.  A transport protocol
            that has its own mechanism for notifying the sender that a
            port is unreachable (e.g., TCP, which sends RST segments)
            MUST nevertheless accept an ICMP Port Unreachable for the
            same purpose.

So its great securing TCP using sequence numbers, but the statelessness
of ICMP makes for an attack vector, no?


Dave.


Pointers anybody? 

------------------------------------------------
David Freedman
Group Network Engineering 
Claranet Limited
http://www.clara.net



-----Original Message-----
From: Pekka Savola [mailto:pekkas at netcore.fi]
Sent: Mon 9/22/2008 21:00
To: Iljitsch van Beijnum
Cc: David Freedman; ipv6-ops at lists.cluenet.de
Subject: Re: Filtering ULA?
 
On Mon, 22 Sep 2008, Iljitsch van Beijnum wrote:
> As for the packets: what if someone generates an ICMP too big message with a 
> ULA source address? That could happen. It would be really bad if people 
> filtered out those packets because that creates PMTUD black holes.

Sometimes folks (usually from a network X using RFC1918 space 
internally) start complaining about network Y breaking PMTUD because 
they filter RFC1918 or some other bogus addresses on the border.  As 
if network X had some $DEITY given right to break connectivity by 
exposing RFC1918 addresses to the outside and expecting the others 
to special-case around their brokenness.

If it isn't routed, it's bogus and should be dropped. If you expose 
unroutable address space to outside, don't make it others' fault if it 
causes breakage.

The same applies to ULA space IMHO.  (And that's what the spec says as 
well.)

-- 
Pekka Savola                 "You each name yourselves king, yet the
Netcore Oy                    kingdom bleeds."
Systems. Networks. Security. -- George R.R. Martin: A Clash of Kings



-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.cluenet.de/pipermail/ipv6-ops/attachments/20080922/76764af0/attachment.html

More information about the ipv6-ops mailing list