Different view on RH0: it is good to take out unmaintained networks

Pekka Savola pekkas at netcore.fi
Mon May 14 18:27:41 CEST 2007


On Mon, 14 May 2007, Gert Doering wrote:
> On Mon, May 14, 2007 at 03:46:34PM +0300, Pekka Savola wrote:
>> Works just fine and no RH0 problem :-)
>
> Are you sure that an attack "bounce packets 50 times between two of
> your routers" wouldn't work?

So, you mean a scenario where the attacker sends a RH0 packet with a 
legitimate source address, but the RH address field includes a couple 
of our routers (those ones that don't have uRPF enabled between them) 
50 times, resulting in bouncing back and forth between then?

Yes, uRPF wouldn't stop that, but our loopback ACLs ("receive ACL") 
prevent the router from being used as an intermediate hop in the 
router header processing chain by discarding packets with a routing 
header (or some other extention header, with exceptions).

As the routers don't need to act as MIPv6 correspondent nodes, mobile 
nodes or home agents, this is a sufficient workaround until a command 
to disable IPv6 routing header processing is available.

-- 
Pekka Savola                 "You each name yourselves king, yet the
Netcore Oy                    kingdom bleeds."
Systems. Networks. Security. -- George R.R. Martin: A Clash of Kings



More information about the ipv6-ops mailing list