Filtering ULA?

[Pekka Savola]

On Mon, 22 Sep 2008, Iljitsch van Beijnum wrote:
>> If it isn't routed, it's bogus and should be dropped. If you expose 
>> unroutable address space to outside, don't make it others' fault if it 
>> causes breakage.
>
> Well, then what are people who use ULA addressing for some of their routers 
> internally supposed to do? There is no RFC that says this is not allowed and 
> also no RFC that borrows a non-ULA address from another interface (like with 
> link local) so either write those RFCs, don't use PMTUD or expect problems at 
> your end.

First of all, you should really figure out if ULA is such a great idea 
in the first place.

But if you use it (e.g. in SOHO or similar "sometimes disconnected" 
case) -- don't decrease MTU in your internal network, so you'll never 
have to send ICMP Packet Too Big's to the outside.  No problem then..

David, yes, the source address in ICMP PMTUD messages is irrelevant. 
The attack you mention is possible.  It's discussed in detail in 
http://tools.ietf.org/html/draft-ietf-tcpm-icmp-attacks-03 Section 7.

-- 
Pekka Savola                 "You each name yourselves king, yet the
Netcore Oy                    kingdom bleeds."
Systems. Networks. Security. -- George R.R. Martin: A Clash of Kings