netdev
[Top] [All Lists]

Re: source routing honored by hosts?

To: YOSHIFUJI Hideaki / 吉藤英明 <yoshfuji@xxxxxxxxxxxxxx>
Subject: Re: source routing honored by hosts?
From: "David Stevens" <dlstevens@xxxxxxxxxx>
Date: Sat, 1 Sep 2001 20:09:52 -0600
Cc: ak@xxxxxx, netdev@xxxxxxxxxxx, usagi-users@xxxxxxxxxxxxxx
Importance: Normal
Sender: owner-netdev@xxxxxxxxxxx

>RFC 2460 says:
>
>4.4  Routing Header
>:
>   If, while processing a received packet, a *node* encounters a Routing
>                                             ~~~~~~
>   header with an unrecognized Routing Type value, the required behavior
>   of the node depends on the value of the Segments Left field, as
>   follows:

     Routers are nodes too. The wording is unfortunately ambiguous, because
they haven't explicitly said hosts must route source-routed packets. But:

>   router      - a node that forwards IPv6 packets not explicitly
>                 addressed to itself.  [See Note below].

In the case in question, the IP destination is not the host. So, you could
make the argument that the packet isn't explicitly addressed to it and
therefore should be dropped if it's a host, routed if it's a router. You
could
also make the argument that the source-route itself is the explicit
addressing.

Whether they intended for hosts to forward source-routed packets or not is
a
good question (esp. if it's a requirement, or if they're allowing for the
possibility).
     If that's their intent, then I'd say it's a misfeature. Consider the
scenario where you have, say, a cable modem connected to the Internet and
an
IPsec tunnel to your company's intranet. If your company's firewall only
filters
packets coming in from the Internet, and not any from the "trusted"
intranet
hosts, then a bad guy can source-route through you (even though your
machine is
configured as a host) to get packets in, and the target host will gladly
send
TCP ACK's, confidential data, etc. directly to the waiting cracker. Your
host
will encrypt, encapsulate and forward to your company's intranet and the
target
machine.
     Personally, I wouldn't want any machine not explicitly configured as a
router to forward packets, but for security reasons, I think if you support
it
at all, it at least should be a configuration option defaulting to "off".

                                                   +-DLS




<Prev in Thread] Current Thread [Next in Thread>