Re: (usagi-users 00750) Re: source routing honored by hosts?

To:	<usagi-users@xxxxxxxxxxxxxx>
Subject:	Re: (usagi-users 00750) Re: source routing honored by hosts?
From:	Pekka Savola <pekkas@xxxxxxxxxx>
Date:	Sat, 1 Sep 2001 15:09:04 +0300 (EEST)
Cc:	<ak@xxxxxx>, <dlstevens@xxxxxxxxxx>, <netdev@xxxxxxxxxxx>
In-reply-to:	<20010901195708V.yoshfuji@xxxxxxxxxxxxxx>
Sender:	owner-netdev@xxxxxxxxxxx

On Sat, 1 Sep 2001, YOSHIFUJI Hideaki / [iso-2022-jp] 吉藤英明 wrote:
> In article <20010901122229.64064@xxxxxxxxxxxx> (at Sat, 1 Sep 2001 12:22:29 
> +0200), Andi Kleen <ak@xxxxxx> says:
>
> > On Sat, Sep 01, 2001 at 01:14:11AM +0200, David Stevens wrote:
> > > ip6_forward() has the following two lines:
> > >
> > >      if (ipv6_devconf.forwarding == 0 && opt->srcrt == 0)
> > >           goto error;
> > >
> > > Aside from the other issue of per-interface forwarding :-), this appears 
> > > to allow
> > > forwarding of source-routed packets even when the node is a host, only. 
> > > That
> > > seems to be a security hole to me. Suppose you have a multihomed host, or
>
> > >      if (ipv6_devconf.forwarding == 0)
> > >           goto error;
> >
> > Definitely.
>
> NO.  In IPv6, even a node is not a router (i.e. it is a host),
> it MUST forward source routed packet.  So,

This is by the spec, yeah.

> 4.4  Routing Header
> :
>    If, while processing a received packet, a *node* encounters a Routing
>                                              ~~~~~~
>    header with an unrecognized Routing Type value, the required behavior
>    of the node depends on the value of the Segments Left field, as
>    follows:

Problem with source routing is that with scenarios like:

host1 --- rtr1 --- rtr2 --- host2
                    |     /
                   rtr3 -/
                    |
                  host3

you may want to route the packet first from host1 to host2, and from host2
through rtr3 to host3.  host2 might not have a route to host3 pointing
towards rtr3.

I guess this is what the forwarding exception is for?  If it was only for
routers, you couldn't source route through host2.

IPv4 source routing should be work in the same way though, AFAIR, so I
don't know how IPv4 implementation deals with this?

One could argue, though, that obeying source routing should be togglable,
as it's impossible to authenticate, and may allow the packets traverse
where they normally should never be able to go.

(Rather challenging to firewall, too, as real destination can be hidden
in the routing header options.. urghh..)

And don't you just love....:

Security Considerations

   The security features of IPv6 are described in the Security
   Architecture for the Internet Protocol [RFC-2401].

sigh.  the ipsec security pixie dust at it again.

Writing to ipng mailing list..

-- 
Pekka Savola                 "Tell me of difficulties surmounted,
Netcore Oy                   not those you stumble over and fall"
Systems. Networks. Security.  -- Robert Jordan: A Crown of Swords

<Prev in Thread]	Current Thread	[Next in Thread>
Re: source routing honored by hosts?, Andi Kleen Re: source routing honored by hosts?, YOSHIFUJI Hideaki / 吉藤英明 Re: (usagi-users 00750) Re: source routing honored by hosts?, Pekka Savola <= Re: source routing honored by hosts?, Pekka Savola Re: (usagi-users 00767) Re: source routing honored by hosts?, YOSHIFUJI Hideaki / 吉藤英明 Re: (usagi-users 00767) Re: source routing honored by hosts?, Pekka Savola Re: source routing honored by hosts?, Andi Kleen Re: source routing honored by hosts?, David Stevens

Previous by Date:	Re: source routing honored by hosts?, YOSHIFUJI Hideaki / 吉藤英明
Next by Date:	Re: source routing honored by hosts?, Andi Kleen
Previous by Thread:	Re: source routing honored by hosts?, YOSHIFUJI Hideaki / 吉藤英明
Next by Thread:	Re: source routing honored by hosts?, Pekka Savola
Indexes:	[Date] [Thread] [Top] [All Lists]