On 1/6/2011 9:27 AM, Mikael Abrahamsson wrote:
On Thu, 6 Jan 2011, Lamar Owen wrote:
Ok, perhaps I'm dense, but why is the router going to try to find a host that it already doesn't know based on an unsolicited outside packet? Why is the router trusting the outside's idea of what addresses are active, and why isn't the router dropping packets on the floor destined to hosts on one of its interfaces' local subnets that it doesn't already know about?
Because the standard says it should do that.
The standard was broken with arp, and continues to be broken with NDP. Routers should not handle things the same as normal hosts.
If the packet is a response to a request from the host, then the router should have seen the outgoing packet (or, in the case of HSRP-teamed routers, all the routers in the standby group should be keeping track of all hosts, etc) and it should already be in the neighbor table.
Are you trying to abolish the end to end principle of the Internet by implementing stateful firewalls in all routers?
Not stateful firewalls. He's referring to neighbor learning based on incoming traffic to the router from the trusted side. ie, I received a packet from the server, so I will add his MAC to my neighbor table. There are many methods for learning MAC addresses, though. DHCP/MAC security with static ARP and other viable options have properly killed this problem in v4 by routers not looking for unknown neighbors.
Like I said, perhaps I'm dense and ignorant and just simply misunderstanding the issue, but I still find it hard to believe that a router would blindly trust an outside address to know about an inside address that is not already in the router's neighbor table.
That's how it's always worked, both for v4 and v6.
It's how it works, but not how it should work. In the last years, v4 has seen some nice implementations that specifically are designed (especially for eyeball networks who have vast pools of space) to keep routers from sending unsolicited arp requests and maintaining only a valid pool of mappings. That is how the protocols should have been designed in the first place. Host to Host communications are one thing. Router to host communications should be designed with the idea that the host needs to tell the router who it is, not the router asking. This keeps packets from unknown hosts from causing these table issues. There are also (some of the above designed to do) security measures dealing with local abuse and hijacking, but that is separate issue. This is about resource exhaustion, and policing/ACL isn't the proper fix. Having hosts (in a secure or insecure manner) notify the router of their mapping is the appropriate fix. Protocol wise, insecure is fine, wrapped with an extra layer of security (as security can have multiple implementations). Jack