Hi, On Tue, Jul 26, 2011 at 09:13:39AM +0200, Christian Seitz wrote:
On Mon, 25 Jul 2011, Sander Steffann wrote:
5) ?
Adapt uRPF so that it does't filter ICMP error messages. Whether this is useful depends on how much ICMP error messages with unreachable source addresses we expect to see? When people/organizations start to use ULA addresses it might be more than we see now.
do you really want to disable filtering all ICMP packets from non-routed addresses? I do not like to have an ICMP DoS from unroutable addresses in my network. ICMP is important for IPv6 communication to work, yes, but only from routable addresses.
Uh, I don't think that point is valid. Regarding DoS possibilities, for ICMP *error* messages (which are not replied to) there's no difference between "coming from routed space" and "coming from non-routed space". If you're worried about DoS-by-ICMP, you need rate-limits. uRPF won't help, as it's easy for a moderate-sized botnet to send you enough traffic from legitimate sources without needing to spoof source addresses...
ULA could be the next problem. Not only loose uRPF may be the problem in this case, but also infrastructure ACLs which deny ULA addresses from outside. RFC4193 4.3 says that packets from ULA addresses should be filtered at the border. If somebody sends ICMP "Packet too big" with an address from the ULA range as the source address it is expected that it will be dropped somewhere (at the border of the own network, at the border of the destination network or somewhere in a backbone between those two networks).
Now that's a different can of worms. If someone numbers their transit network with ULAs and sends ICMP errors from ULA space, they deserve what you can think up for them. Gert Doering -- NetMaster -- have you enabled IPv6 on something today...? SpaceNet AG Vorstand: Sebastian v. Bomhard Joseph-Dollinger-Bogen 14 Aufsichtsratsvors.: A. Grundner-Culemann D-80807 Muenchen HRB: 136055 (AG Muenchen) Tel: +49 (89) 32356-444 USt-IdNr.: DE813185279