On Thursday, January 06, 2011 10:27:54 am you wrote:
On Thu, 6 Jan 2011, Lamar Owen wrote:
Ok, perhaps I'm dense, but why is the router going to try to find a host that it already doesn't know based on an unsolicited outside packet?
Because the standard says it should do that.
Since when have standards been blindly followed by vendors? If I were an IPv6 router vendor, I'd code up a 'drop the packet if it's destined for an address in a directly attached subnet but that doesn't already have a neighbor table entry ' knob and sell it as a high-priced security add-on to my already bloated product line.... Actually, thinking like a coder, it would be removing the code that punts to neighbor discovery on receipt of an outside-the-destination-subnet packet destined to an address that's not in the neighbor table (and is an address within one of the router's directly attached subnets), and wouldn't require any additional CPU (or hardware punt to neighbor discovery) to implement. Could even be sold as a forwarding performance improvement (for incoming to the subnet packets only, obviously). And then allow an 'icmp-host-unreachable' to either be returned or not, according to the policy of the subnet in question. Standards are written by people, of course, and most paragraphs have reasons to be there; I would find it interesting to hear the rationale for a router filling a slot in its neighbor table for a host that doesn't exist. For that matter, I'd like to see a pointer to which standard that says this so I can read the verbiage myself, as that may have enough explanation to satisfy my curiosity.
If the packet is a response to a request from the host, then the router should have seen the outgoing packet (or, in the case of HSRP-teamed routers, all the routers in the standby group should be keeping track of all hosts, etc) and it should already be in the neighbor table.
Are you trying to abolish the end to end principle of the Internet by implementing stateful firewalls in all routers?
Not at all; end to end is fine, but if there is no end to send a packet to, that packet should be dropped and not blindly trusted (since it will be abused for sure) by the router serving the destination subnet, which is the only router that is in a position to know if the endpoint exists or not. Dropping in this case means 'don't punt to discovery for this packet' and isn't blocking, it's just not taking the extra effort to look up something it already doesn't know. Not what I consider a stateful firewall. This reminds me somewhat of some IPv4 routers doing Proxy ARP by default.
Like I said, perhaps I'm dense and ignorant and just simply misunderstanding the issue, but I still find it hard to believe that a router would blindly trust an outside address to know about an inside address that is not already in the router's neighbor table.
That's how it's always worked, both for v4 and v6.
Sounds like I need to study it in more depth, but I'm still having a hard time seeing why such behavior is a good idea. Time to break out the wireshark laptop and do some SPANning.... and to see if I can find the reference in the RFC's somewhere. Thanks for the info.