[ipv6-wg] Re: not announcing IXP IPv6 peering lan prefixes in global BGP table possibly breaks PMTUD
- Previous message (by thread): [ipv6-wg] Re: not announcing IXP IPv6 peering lan prefixes in global BGP table possibly breaks PMTUD
- Next message (by thread): [ipv6-wg] Re: not announcing IXP IPv6 peering lan prefixes in global BGP table possibly breaks PMTUD
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Gert Doering
gert at space.net
Tue Jul 26 09:56:35 CEST 2011
Hi, On Tue, Jul 26, 2011 at 09:13:39AM +0200, Christian Seitz wrote: > On Mon, 25 Jul 2011, Sander Steffann wrote: > > >> 5) ? > > > > Adapt uRPF so that it does't filter ICMP error messages. Whether this is > > useful depends on how much ICMP error messages with unreachable source > > addresses we expect to see? When people/organizations start to use ULA > > addresses it might be more than we see now. > > do you really want to disable filtering all ICMP packets from non-routed > addresses? I do not like to have an ICMP DoS from unroutable addresses in > my network. ICMP is important for IPv6 communication to work, yes, but > only from routable addresses. Uh, I don't think that point is valid. Regarding DoS possibilities, for ICMP *error* messages (which are not replied to) there's no difference between "coming from routed space" and "coming from non-routed space". If you're worried about DoS-by-ICMP, you need rate-limits. uRPF won't help, as it's easy for a moderate-sized botnet to send you enough traffic from legitimate sources without needing to spoof source addresses... > ULA could be the next problem. Not only loose uRPF may be the problem in > this case, but also infrastructure ACLs which deny ULA addresses from > outside. RFC4193 4.3 says that packets from ULA addresses should be > filtered at the border. If somebody sends ICMP "Packet too big" with an > address from the ULA range as the source address it is expected that it > will be dropped somewhere (at the border of the own network, at the border > of the destination network or somewhere in a backbone between those two > networks). Now that's a different can of worms. If someone numbers their transit network with ULAs and sends ICMP errors from ULA space, they deserve what you can think up for them. Gert Doering -- NetMaster -- have you enabled IPv6 on something today...? SpaceNet AG Vorstand: Sebastian v. Bomhard Joseph-Dollinger-Bogen 14 Aufsichtsratsvors.: A. Grundner-Culemann D-80807 Muenchen HRB: 136055 (AG Muenchen) Tel: +49 (89) 32356-444 USt-IdNr.: DE813185279
- Previous message (by thread): [ipv6-wg] Re: not announcing IXP IPv6 peering lan prefixes in global BGP table possibly breaks PMTUD
- Next message (by thread): [ipv6-wg] Re: not announcing IXP IPv6 peering lan prefixes in global BGP table possibly breaks PMTUD
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
[ ipv6-wg Archives ]