Discussion:
ICMPv6 redirects
(too old to reply)
Jonathan A. Kollasch
2009-09-07 20:50:31 UTC
Permalink
Hi,

I statically configure my IPv6 addresses, and would like to use fe80::1%ifN
as my default route, for somewhat obvious reasons.

However, this doesn't appear to be allowed by the code. It insists that
redirects come from the default route. As my default route is anycast,
this just won't work.

I do understand why this is implemented this way. But shouldn't this
be tunable?

Jonathan Kollasch

--
Posted automagically by a mail2news gateway at muc.de e.V.
Please direct questions, flames, donations, etc. to news-***@muc.de
der Mouse
2009-09-07 23:59:32 UTC
Permalink
Post by Jonathan A. Kollasch
I do understand why this is implemented this way. But shouldn't this
be tunable?
That depends on the extent to which you agree with the point of view
that the IPv6 design people know better than you do how your network
should be set up. I've run into parallel issues myself often enough;
I've been told everything from I should always use prefixlen 64 to I
should never do static routing.

I prefer not to drink the koolaid. I work on the "as if" principle: if
you can't tell from the outside whether I'm doing it, it's not
appropriate to gratuitously forbid it.

But, of course, I didn't write the code, and if I did write code that
implements that I, um, doubt it would be accepted, shall we say.

/~\ The ASCII Mouse
\ / Ribbon Campaign
X Against HTML ***@rodents-montreal.org
/ \ Email! 7D C8 61 52 5D E7 2D 39 4E F1 31 3E E8 B3 27 4B

--
Posted automagically by a mail2news gateway at muc.de e.V.
Please direct questions, flames, donations, etc. to news-***@muc.de
Steven M. Bellovin
2009-09-08 00:16:13 UTC
Permalink
On Mon, 7 Sep 2009 19:59:32 -0400 (EDT)
Post by der Mouse
Post by Jonathan A. Kollasch
I do understand why this is implemented this way. But shouldn't
this be tunable?
That depends on the extent to which you agree with the point of view
that the IPv6 design people know better than you do how your network
should be set up. I've run into parallel issues myself often enough;
I've been told everything from I should always use prefixlen 64 to I
should never do static routing.
if you can't tell from the outside whether I'm doing it, it's not
appropriate to gratuitously forbid it.
But, of course, I didn't write the code, and if I did write code that
implements that I, um, doubt it would be accepted, shall we say.
In this case, though, there's a security issue, though arguably one
that's not a lot more serious than Neighbor Discovery without SEND.


--Steve Bellovin, http://www.cs.columbia.edu/~smb

--
Posted automagically by a mail2news gateway at muc.de e.V.
Please direct questions, flames, donations, etc. to news-***@muc.de
der Mouse
2009-09-08 00:25:41 UTC
Permalink
Post by Steven M. Bellovin
Post by Jonathan A. Kollasch
I do understand why this is implemented this way. But shouldn't
this be tunable?
[..."I think so"...]
In this case, though, there's a security issue, though arguably one
that's not a lot more serious than Neighbor Discovery without SEND.
What's the issue? I can't see anything wrong with this, unless the
threat model includes hostile machines in the same broadcast domain.
(Yes, there are plenty of environments where that's a necessary part of
the threat model, but there are also plenty of environments where it's
not, and I don't think it's sane to cater to the former to the extent
of making it require hacking the code to obtain certain reasonable
configurations for the latter.)

/~\ The ASCII Mouse
\ / Ribbon Campaign
X Against HTML ***@rodents-montreal.org
/ \ Email! 7D C8 61 52 5D E7 2D 39 4E F1 31 3E E8 B3 27 4B

--
Posted automagically by a mail2news gateway at muc.de e.V.
Please direct questions, flames, donations, etc. to news-***@muc.de
Steven M. Bellovin
2009-09-08 00:52:22 UTC
Permalink
On Mon, 7 Sep 2009 20:25:41 -0400 (EDT)
Post by der Mouse
Post by Steven M. Bellovin
Post by Jonathan A. Kollasch
I do understand why this is implemented this way. But shouldn't
this be tunable?
[..."I think so"...]
In this case, though, there's a security issue, though arguably one
that's not a lot more serious than Neighbor Discovery without SEND.
What's the issue? I can't see anything wrong with this, unless the
threat model includes hostile machines in the same broadcast domain.
(Yes, there are plenty of environments where that's a necessary part
of the threat model, but there are also plenty of environments where
it's not, and I don't think it's sane to cater to the former to the
extent of making it require hacking the code to obtain certain
reasonable configurations for the latter.)
A local machine may be hostile if it's been hacked. Also note that the
straight-forward change -- permitting the redirect from anywhere --
creates a very serious DoS potential. I'd be much more comfortable
with a knob permitting redirects from link-local addresses, though
again there's the hacked machine problem.


--Steve Bellovin, http://www.cs.columbia.edu/~smb

--
Posted automagically by a mail2news gateway at muc.de e.V.
Please direct questions, flames, donations, etc. to news-***@muc.de
Loading...