Hi John, On 22.11.21 10:25, John Gilmore wrote:
Eliot Lear <lear@ofcourseimright.com> wrote:
I was not in this part of IETF in those days, so I did not participate in those discussions. But I later read them on the archived mailing list, and reached out by email to Dave Thaler for more details about his concerns. He responded with the same general issues (and a request that we and everyone else spend more time on IPv6). I asked in a subsequent message for any details he has about such products that he thought would fail. He was unable or unwilling to point out even a single operating system, Internet node type, or firewall product that would fail unsafely if it saw packets from the 240/4 range.
To be fair, you were asking him to recall a conversation that did take place quite some time earlier.
As documented in our Internet-Draft, all such products known to us either accept those packets as unicast traffic, or reject such packets and do not let them through. None crashes, reboots, fills logfiles with endless messages, falls on the floor, or otherwise fails. No known firewall is letting 240/4 packets through on the theory that it's perfectly safe because every end-system will discard them.
As far as I can tell, what Eliot says really stopped this proposal in 2008 was Dave's hand-wave of *potential* concern, not an actual documented problem with the proposal.
I wouldn't go so far as to call it a hand wave. You have found devices that drop packets. That's enough to note that this block of space would not be substitutable for other unicast address space. And quite frankly, unless you're testing every device ever made, you simply can't know how this stuff will work in the wild. That's ok, though, so long as the use is limited to environments that can cope with it.
If anyone knows an *actual* documented problem with 240/4 packets, please tell us!
(And as I pointed out subsequently to Dave, if any nodes currently in service would *actually* crash if they received a 240/4 packet, that's a critical denial of service issue. For reasons completely independent from our proposal, those machines should be rapidly identified and patched, rather than remaining vulnerable from 2008 thru 2021 and beyond. It would be trivial for an attacker to send such packets-of-death from any Linux, Solaris, Android, MacOS, or iOS machine that they've broken into on the local LAN. And even Windows machines may have ways to send raw Ethernet packets that could be crafted by an attacker to appear to be deadly IPv4 240/4 packets.)
Right, and indeed there are devices out there that have been known to stop functioning properly under certain forms of attack, regardless of the source address. Eliot