On Wed, 3 Sep 2003, Ville Nuorvala wrote:
> Who says it isn't possible? The user who thinks he knows better can change
> the accept_ra (and rtr_solicits) flag for the tunnel dev and start
> receiving RAs through it.
right, but..
> > _However_, that doesn't make sense unless you have a more specific route
> > to the destination IPv6 tunnel endpoint.
>
> Yes, exactly. And what should the node do if it just has two default
> routes, one through a tunnel and one through an ethernet interface? This
> will be the case if a normal host receives RAs through both interfaces.
>
> At least two things can go wrong:
> 1) A packet intended to the tunnel is sent straight through the ethernet
> device
> 2) A packet already encapsulated by the tunnel is rerouted through it and
> is thus dropped
>
> Based on my own experiences, I can say things like this do happen.
Well, could it too hacky to implement a check which ensures that if you
add a route over a tunnel, there must be a more specific route to the
tunnel endpoint? -- otherwise adding the route would fail?
(not sure what it would require to make it so, or whether an approach like
this would turn out to be infeasible in the end -- but this would seem to
be very feasible to me..)
I'm a bit concerned by this, but if folks think disabling RA's by default
on ipv6-in-ipv6 tunnels is enough, fine..
--
Pekka Savola "You each name yourselves king, yet the
Netcore Oy kingdom bleeds."
Systems. Networks. Security. -- George R.R. Martin: A Clash of Kings
|