IPv4 source routing options and IPv6 Type 0 Routing Header
Hello, folks, Quite a few times it has been mentioned to me that some peering agreements require support for the IPv4 source routing options. I was wondering whether this is still the case for some ISPs, or it is not the case anymore. I was also wondering if it has ever been the case that IPv6 peering agreements have required support for Type 0 Routing Header and, if it has, whether that still happens nowadays. (I guess not, but....) Thanks so much! Kind regards, -- Fernando Gont e-mail: fernando@gont.com.ar || fgont@acm.org PGP Fingerprint: 7809 84F5 322E 45C7 F1C9 3945 96EE A9EF D076 FFF1
On 25 Jun 2008, at 03:55, Fernando Gont wrote:
Quite a few times it has been mentioned to me that some peering agreements require support for the IPv4 source routing options. I was wondering whether this is still the case for some ISPs, or it is not the case anymore.
I was also wondering if it has ever been the case that IPv6 peering agreements have required support for Type 0 Routing Header and, if it has, whether that still happens nowadays. (I guess not, but....)
I have never seen such a requirement for IPv6. Note also that type-0 routing headers were deprecated in RFC 5095, last year.
The functionality provided by IPv6's Type 0 Routing Header can be exploited in order to achieve traffic amplification over a remote path for the purposes of generating denial-of-service traffic. This document updates the IPv6 specification to deprecate the use of IPv6 Type 0 Routing Headers, in light of this security concern.
Joe
Quite a few times it has been mentioned to me that some peering agreements require support for the IPv4 source routing options. I was wondering whether this is still the case for some ISPs, or it is not the case anymore.
Before we decommissioned our last open peering fabric, source-routing was important to make sure your peer wasn't pointing default (or similar) to you. With the advent of private (and far more limited) bilateral peering as a preference to fabric based peering (at least among the ones who set peering policies globally) this has become less of an issue. RFC 5095 aside. Deepak
At 05:43 p.m. 25/06/2008, Deepak Jain wrote:
Quite a few times it has been mentioned to me that some peering agreements require support for the IPv4 source routing options. I was wondering whether this is still the case for some ISPs, or it is not the case anymore.
Before we decommissioned our last open peering fabric, source-routing was important to make sure your peer wasn't pointing default (or similar) to you. With the advent of private (and far more limited) bilateral peering as a preference to fabric based peering (at least among the ones who set peering policies globally) this has become less of an issue.
Thanks so much for your response!
RFC 5095 aside.
Yes, sorry. The question should have been: Has IPv6 Type 0 Routing Header ever been a requirement in v6 peering agreements? (In any case, I guess Type 0 Routing Header could still be used, in the same way that v4 source-routing was still being used even after many IP implementations had decided to filter it by default?) Kind regards, -- Fernando Gont e-mail: fernando@gont.com.ar || fgont@acm.org PGP Fingerprint: 7809 84F5 322E 45C7 F1C9 3945 96EE A9EF D076 FFF1
On 25 Jun 2008, at 21:44, Fernando Gont wrote:
(In any case, I guess Type 0 Routing Header could still be used, in the same way that v4 source-routing was still being used even after many IP implementations had decided to filter it by default?)
Between adjacent, consenting routers, you can surely expect to be able to do whatever the routers will let you do. Joe
sorry to pick this up so late. source routing is still requested and sometimes mandated at inter-as borders. for the reasons deepak stated. note that this does not expose any vulnerability. source routing is only dangerous to hosts.
Yes, sorry. The question should have been: Has IPv6 Type 0 Routing Header ever been a requirement in v6 peering agreements?
not of which i am aware. imiho, from ops pov extension headers are unneeded kink. randy
At 03:44 a.m. 26/06/2008, Randy Bush wrote:
source routing is still requested and sometimes mandated at inter-as borders. for the reasons deepak stated. note that this does not expose any vulnerability. source routing is only dangerous to hosts.
Well, it can be used as an amplification mechanism for bandwidth consuption attacks (although it is not as effective as the Type 0 Routing header of v6, because of the limited space in the v4 header). Thanks! Kind regards, -- Fernando Gont e-mail: fernando@gont.com.ar || fgont@acm.org PGP Fingerprint: 7809 84F5 322E 45C7 F1C9 3945 96EE A9EF D076 FFF1
Deepak Jain wrote:
Quite a few times it has been mentioned to me that some peering agreements require support for the IPv4 source routing options. I was wondering whether this is still the case for some ISPs, or it is not the case anymore.
Before we decommissioned our last open peering fabric, source-routing was important to make sure your peer wasn't pointing default (or similar) to you. With the advent of private (and far more limited) bilateral peering as a preference to fabric based peering (at least among the ones who set peering policies globally) this has become less of an issue.
RFC 5095 aside.
Can someone give an example of how to use source routing to check a peers routing policy? Thanks, Sam
On Mon, Jun 30, 2008 at 06:35:12PM +0100, Sam Stickland wrote:
Can someone give an example of how to use source routing to check a peers routing policy?
Channelling from a similar private conversation I had many years ago: Seeing if packets directed to prefixes that you're not announcing come back to you is interesting (and can be an indicator that someone is pointing default at you). Seeing if packets directed to prefixes you *are* announcing *do* come back to you is also interesting. So, an example might be to send a traceroute across a peer's link via source routing, and watching the result.
Fernando Gont wrote:
Hello, folks,
Quite a few times it has been mentioned to me that some peering agreements require support for the IPv4 source routing options. I was wondering whether this is still the case for some ISPs, or it is not the case anymore.
I haven't observed it in the recent past. looking backwards I can see a handfull of operators that did it (LSR) by policy everywhere in 2002.
I was also wondering if it has ever been the case that IPv6 peering agreements have required support for Type 0 Routing Header and, if it has, whether that still happens nowadays. (I guess not, but....)
I think you'd be hardpressed to find an operator that would knowingly honor rh(0) headers
Thanks so much!
Kind regards,
-- Fernando Gont e-mail: fernando@gont.com.ar || fgont@acm.org PGP Fingerprint: 7809 84F5 322E 45C7 F1C9 3945 96EE A9EF D076 FFF1
participants (7)
-
Deepak Jain -
Fernando Gont -
Joe Abley -
Joel Jaeggli -
John Osmon -
Randy Bush -
Sam Stickland