[Top] [All Lists]

Re: source routing honored by hosts?

To: YOSHIFUJI Hideaki / 吉藤英明 <yoshfuji@xxxxxxxxxxxxxx>
Subject: Re: source routing honored by hosts?
From: "David Stevens" <dlstevens@xxxxxxxxxx>
Date: Sat, 1 Sep 2001 20:09:52 -0600
Cc: ak@xxxxxx, netdev@xxxxxxxxxxx, usagi-users@xxxxxxxxxxxxxx
Importance: Normal
Sender: owner-netdev@xxxxxxxxxxx

>RFC 2460 says:
>4.4  Routing Header
>   If, while processing a received packet, a *node* encounters a Routing
>                                             ~~~~~~
>   header with an unrecognized Routing Type value, the required behavior
>   of the node depends on the value of the Segments Left field, as
>   follows:

     Routers are nodes too. The wording is unfortunately ambiguous, because
they haven't explicitly said hosts must route source-routed packets. But:

>   router      - a node that forwards IPv6 packets not explicitly
>                 addressed to itself.  [See Note below].

In the case in question, the IP destination is not the host. So, you could
make the argument that the packet isn't explicitly addressed to it and
therefore should be dropped if it's a host, routed if it's a router. You
also make the argument that the source-route itself is the explicit

Whether they intended for hosts to forward source-routed packets or not is
good question (esp. if it's a requirement, or if they're allowing for the
     If that's their intent, then I'd say it's a misfeature. Consider the
scenario where you have, say, a cable modem connected to the Internet and
IPsec tunnel to your company's intranet. If your company's firewall only
packets coming in from the Internet, and not any from the "trusted"
hosts, then a bad guy can source-route through you (even though your
machine is
configured as a host) to get packets in, and the target host will gladly
TCP ACK's, confidential data, etc. directly to the waiting cracker. Your
will encrypt, encapsulate and forward to your company's intranet and the
     Personally, I wouldn't want any machine not explicitly configured as a
router to forward packets, but for security reasons, I think if you support
at all, it at least should be a configuration option defaulting to "off".


<Prev in Thread] Current Thread [Next in Thread>