This archive is retained to ensure existing URLs remain functional. It will not contain any emails sent to this mailing list after July 1, 2024. For all messages, including those sent before and after this date, please visit the new location of the archive at https://mailman.ripe.net/archives/list/[email protected]/
[ipv6-wg] Re: not announcing IXP IPv6 peering lan prefixes in global BGP table possibly breaks PMTUD
- Previous message (by thread): [ipv6-wg] Re: not announcing IXP IPv6 peering lan prefixes in global BGP table possibly breaks PMTUD
- Next message (by thread): [ipv6-wg] Re: not announcing IXP IPv6 peering lan prefixes in global BGP table possibly breaks PMTUD
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Gert Doering
gert at space.net
Tue Jul 26 09:56:35 CEST 2011
Hi,
On Tue, Jul 26, 2011 at 09:13:39AM +0200, Christian Seitz wrote:
> On Mon, 25 Jul 2011, Sander Steffann wrote:
>
> >> 5) ?
> >
> > Adapt uRPF so that it does't filter ICMP error messages. Whether this is
> > useful depends on how much ICMP error messages with unreachable source
> > addresses we expect to see? When people/organizations start to use ULA
> > addresses it might be more than we see now.
>
> do you really want to disable filtering all ICMP packets from non-routed
> addresses? I do not like to have an ICMP DoS from unroutable addresses in
> my network. ICMP is important for IPv6 communication to work, yes, but
> only from routable addresses.
Uh, I don't think that point is valid. Regarding DoS possibilities,
for ICMP *error* messages (which are not replied to) there's no difference
between "coming from routed space" and "coming from non-routed space".
If you're worried about DoS-by-ICMP, you need rate-limits. uRPF won't
help, as it's easy for a moderate-sized botnet to send you enough traffic
from legitimate sources without needing to spoof source addresses...
> ULA could be the next problem. Not only loose uRPF may be the problem in
> this case, but also infrastructure ACLs which deny ULA addresses from
> outside. RFC4193 4.3 says that packets from ULA addresses should be
> filtered at the border. If somebody sends ICMP "Packet too big" with an
> address from the ULA range as the source address it is expected that it
> will be dropped somewhere (at the border of the own network, at the border
> of the destination network or somewhere in a backbone between those two
> networks).
Now that's a different can of worms. If someone numbers their transit
network with ULAs and sends ICMP errors from ULA space, they deserve what
you can think up for them.
Gert Doering
-- NetMaster
--
have you enabled IPv6 on something today...?
SpaceNet AG Vorstand: Sebastian v. Bomhard
Joseph-Dollinger-Bogen 14 Aufsichtsratsvors.: A. Grundner-Culemann
D-80807 Muenchen HRB: 136055 (AG Muenchen)
Tel: +49 (89) 32356-444 USt-IdNr.: DE813185279
- Previous message (by thread): [ipv6-wg] Re: not announcing IXP IPv6 peering lan prefixes in global BGP table possibly breaks PMTUD
- Next message (by thread): [ipv6-wg] Re: not announcing IXP IPv6 peering lan prefixes in global BGP table possibly breaks PMTUD
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
[ ipv6-wg Archives ]