IPv6 Type 0 Routing Header issues

Mohacsi Janos mohacsi at niif.hu
Wed Apr 25 09:41:09 CEST 2007


Hi All,

I think this is not a solution. The problems of routing header type 0 well 
know by the community since long time. This has been documented for more 
than 2-3 years know (raised 4 years ago). Are there any consensus, that 
type 0 routing header should be deprecated? Until that it is documented to
  be filtered if there is no need for it. The current patch provided by 
OpenBSD/FreeBSD makes *BSD IPv6 implemenation non-conformant to standard. 
I would rather focus on pf changes - allow filtering based on the routing 
header type. Currently you can filter based existence/non-existence of 
routing header type. This is currently clearly not enough....

Regards,

Janos Mohacsi
Network Engineer, Research Associate, Head of Network Planning and Projects
NIIF/HUNGARNET, HUNGARY
Key 70EF9882: DEC2 C685 1ED4 C95A 145F  4300 6F64 7B00 70EF 9882

On Wed, 25 Apr 2007, George V. Neville-Neil wrote:

> At Wed, 25 Apr 2007 00:46:28 +0300,
> Jari Arkko wrote:
>>
>>
>>> Just in case folks are missing out on this, find below a rather nasty
>>> security issue.
>>>
>>
>> I cannot say that this is a big surprise, even if the specific attack
>> is news to me and it has a major impact. Some issues with Type 0
>> have been known for years; I think draft-savola-ipv6-rh-ha was the
>> first to report these. RFC 4294 warns of the issues and RFC 3775
>> design was based on the idea of avoiding Type 0 because it
>> was felt that at some point Type 0 would likely be filtered due
>> to its problems. Also, draft-ietf-v6ops-security-overview was recently
>> approved. It notes, among other things that "it may be desirable
>> to forbid or limit the processing of Type 0 Routing Headers
>> in hosts and some routers."
>>
>> So I think we should take that advice and modify the stacks that
>> do not do the right thing today. A good first approximation is
>> to add a configuration knob for processing Type 0 headers
>> in both hosts and routers, with default set to off. Better
>> firewall support for doing this would also be needed (without
>> disabling use of Type 2, of course).
>>
>
> FreeBSD has already committed patches disabling the processing of
> route header option 0 by default in all 3 of the currently shipping
> branches (HEAD, 6-STABLE and 5-STABLE).
>
>> But we at the IETF also need to draw a conclusion about the
>> state of Type 0. This feature needs to be retired.
>
> The sooner that decision is made the better.  Those of us working on
> the stacks would like to remove this processing if the feature is
> retired.
>
> Best,
> George Neville-Neil
> (FreeBSD Security Team and Core Member)
>
> --------------------------------------------------------------------
> IETF IPv6 working group mailing list
> ipv6 at ietf.org
> Administrative Requests: https://www1.ietf.org/mailman/listinfo/ipv6
> --------------------------------------------------------------------
>



More information about the ipv6-ops mailing list