Hello, On Mon, 25 Jul 2011, Sander Steffann wrote:
5) ?
Adapt uRPF so that it does't filter ICMP error messages. Whether this is useful depends on how much ICMP error messages with unreachable source addresses we expect to see? When people/organizations start to use ULA addresses it might be more than we see now.
do you really want to disable filtering all ICMP packets from non-routed addresses? I do not like to have an ICMP DoS from unroutable addresses in my network. ICMP is important for IPv6 communication to work, yes, but only from routable addresses. ULA could be the next problem. Not only loose uRPF may be the problem in this case, but also infrastructure ACLs which deny ULA addresses from outside. RFC4193 4.3 says that packets from ULA addresses should be filtered at the border. If somebody sends ICMP "Packet too big" with an address from the ULA range as the source address it is expected that it will be dropped somewhere (at the border of the own network, at the border of the destination network or somewhere in a backbone between those two networks). Regards, Chris