Different view on RH0: it is good to take out unmaintained networks
Pekka Savola
pekkas at netcore.fi
Mon May 14 18:27:41 CEST 2007
On Mon, 14 May 2007, Gert Doering wrote:
> On Mon, May 14, 2007 at 03:46:34PM +0300, Pekka Savola wrote:
>> Works just fine and no RH0 problem :-)
>
> Are you sure that an attack "bounce packets 50 times between two of
> your routers" wouldn't work?
So, you mean a scenario where the attacker sends a RH0 packet with a
legitimate source address, but the RH address field includes a couple
of our routers (those ones that don't have uRPF enabled between them)
50 times, resulting in bouncing back and forth between then?
Yes, uRPF wouldn't stop that, but our loopback ACLs ("receive ACL")
prevent the router from being used as an intermediate hop in the
router header processing chain by discarding packets with a routing
header (or some other extention header, with exceptions).
As the routers don't need to act as MIPv6 correspondent nodes, mobile
nodes or home agents, this is a sufficient workaround until a command
to disable IPv6 routing header processing is available.
--
Pekka Savola "You each name yourselves king, yet the
Netcore Oy kingdom bleeds."
Systems. Networks. Security. -- George R.R. Martin: A Clash of Kings
More information about the ipv6-ops
mailing list