(Loose) uRPF vs. non-announced IXP space
Havard Eidnes
he at uninett.no
Thu Feb 9 11:19:19 CET 2012
>>>> From my point of view RFC 5963 should be updated to
>>>> recommend the global announcement of IX prefixes for IPv6 or
>>>> - as already mentioned - an alternative would be to source
>>>> the ICMP messages from a public address instead.
>>>
>>> Vendors providing uRPF implementations that cannot be
>>> configured to add exceptions, like "permit all ICMP packet
>>> too big" are part of the problem.
>
> It isn't just uRPF - we had a similar discussion about ICMP PTB
> with a link-local source, which any router should drop
> according to the standards.
>
> Surely the only safe solution is to ensure that every ICMP PTB
> (or echo reply) has a valid globally routable source addr.
I agree to some of this -- using link-locals for ICMP sourcing is
just plain silly, especially when we're talking about devices
which can inject traffic into the global IPv6 Internet. I have
one word for anyone thinking otherwise: spoofing.
However, the address space used to number most IXes come from the
"globally routeable addres space pool". I don't think that the
attached router's software can by itself know that the
corresponding address space is "routeable but not routed", i.e.
not advertised into the global Internet, and therefore trigger
actions to avoid using the interface address as a source for ICMP
messages.
I'd say that from a deployment perspective, the IXes biting the
bullet and start announcing their IX address spaces into the
global Internet is the one solution mentioned here (by far) with
the shortest lead time. Anything involving tweaking standards or
recommendations and then getting it implemented in software and
deployed in the field is going to take several years, which looks
mightily unattractive if we're looking for a solution to a "here
and now" problem.
Regards,
- Håvard
More information about the ipv6-ops
mailing list