[nsp-sec-jp] ipv6 packet loop on p2p link

2007年 1月 22日 (月) 18:04:08 EST

$B$3$l$A$g$C$H(Bupdate$B!#(B

cisco$B$O4{$K(BRFC4443$BAjEv$N<BAuF~$C$F$$$k$i$7$$$H$N$3$H$@$,!"0lIt(Bhardware
$B$GE, ＠ Z$K=hM}$7$F$$$J$$5?$$$"$j!#O"Mm:Q$_(B

juniper$B$OA4HL$K%@%a!#(BPR$B%"%5%$%s:Q$_!#=$@5Cf!#(B

$B$=$NB>!"(BJPCERT/CC$B7PM3$C$G(B11$B%Y%s%@$KO"Mm:Q$_!#(B

$B$0$i$$$N>u67$G$9!#(B
-----
Matsuzaki Yoshinobu <maz ＠ iij.ad.jp>
 - IIJ/AS2497  INOC-DBA: 2497*629


Date: Wed, 13 Dec 2006 17:27:08 +0900 (JST)
Matsuzaki Yoshinobu <maz ＠ iij.ad.jp> wrote
> IPv6$B;H$C$F$k?M$`$1!#(B
> 
> $B:r:#!"(Bpos$B$d(Btunnel$B$H$$$C$?(Bp2p$B%j%s%/$K$O!"(B/64 or /126 $B$N(BIPv6$B%"%I%l%9$r3d(B
> $BEv$F$F;H$C$F$$$^$9!#$3$N;~!";H$C$F$$$J$$%"%I%l%908$N%Q%1%C%H$,%j%s%/$G(B
> loop$B$7$A$c$&LdBj$,$"$j$^$9!#(B
> $B$3$l$O0JA0(B[I-D.ietf-ipngwg-p2p-pingpong]$B$H$7$FOCBj$K$"$,$j!":#G/$N(B3$B7n$K(B
> ICMPv6[RFC4443]$B$G2r7h:v$, ＠ 9$j9~$^$l$^$7$?$,!"8=;~E@$G$3$l$r<BAu$7$F$$$k(B
> $B%k!<%?$O$[$H$s$IL5$$$h$&$G!":$$C$F$$$^$9!#(B
> 
> $BNc$($P!"(B2001:db8::0/126$B$r0J2<$NMM$K(BPOS$B%j%s%/$K3d$jEv$F$?$H$7$^$7$g$&!#(B
> 
>  [Router-1]----POS----[Router-2]
>           ::1       ::2
> 
>    2001:db8::0 Subnet-router anycast address
>    2001:db8::1 Router-1
>    2001:db8::2 Router-2
>    2001:db8::3 <<--unused global unicast!
> 
> $B$3$N;~!"(B2001:db8::3 $B08$N%Q%1%C%H$O(Bloop$B$7$^$9!#(Bsubnet-anycast$B$r<BAu$7$F(B
> $B$$$k%k!<%?$O$^$@>/$J$$$N$G!"<B$O(B2001:db8::0$B08$b(Bloop$B$7$^$9!#(B/64$B$@$H$b$C(B
> $B$HBgJQ!#(B
> 
> $B8=;~E@$G9M$($i$l$k2r7h:v$O(B
>  1) $B%k!<%?$N%$%s%?%U%'!<%9$GGK4~(B
>   ### $B$3$l$i$O%Y%s%@$K<BAu$r$5$;$J$$$HBLL\$G$9!#(B###
>   - p2p$B%j%s%/$G$b(BND(neighbor discovery)$B$r4hD%$k(B
>   - link$B$N%5%V%M%C%H08$GF~NO$H=PNO$N%$%s%?%U%'!<%9$,F1$8$@$HGK4~(B
>     ICMPv6 [RFC4443]$B$G(BMUST$B$G=q$+$l$F$$$^$9!#(B
>  1) $B%M%C%H%o!<%/$N%(%C%8$G(Bpacket filter
>   - Edge Infrastructure ACL [I-D.ietf-opsec-infrastructure-security]
>  3) link-local$B%"%I%l%9$G1?MQ(B
>   - $B$H$j$"$($:!"6[5^BP1~$9$k$J$i$3$l(B
>   - $B$?$@$7!"4F;k$G$-$J$$$J$I1?MQ>e$NIT9,$JE@$,$$$C$Q$$(B
>  4) $BN>C<$K(B/128$B$r$D$1$F1?MQ(B
>   - link-local$B0J>e$K1?MQ$,BgJQ(B
>   - $B0lIt<BAu$G$O ＠ _Dj$G$-$J$$$+$b(B
>  5) /127$B$r;H$C$F1?MQ(B
>   - 'subnet-router anycast address'$B$,;H$($J$/$J$k(B
>   - use of /127 considerd harmful [RF3627] $B$H$$$&(BRFC$B$"$j(B
>   - $B$G$b(Bp2p$B%j%s%/$G(Banycast$B%"%I%l%9;H$o$J$$$h$M!<!#(B
> 
> $B$"$H!"(B[RFC4443]$B$NH4?h!#(B
> $B$3$l$r%Y%s%@$KAGAa$/<BAu$7$F$b$i$&$N$OJLES4hD%$j$^$9!#(B
> 
> [RFC4443] Internet Control Message Protocol (ICMPv6)
> 3. ICMPv6 Error Messages
> 
> 3.1.  Destination Unreachable Message
>  <snip>
>    One specific case in which a Destination Unreachable message is sent
>    with a code 3 is in response to a packet received by a router from a
>    point-to-point link, destined to an address within a subnet assigned
>    to that same link (other than one of the receiving router's own
>    addresses).  In such a case, the packet MUST NOT be forwarded back
>    onto the arrival link.
> 
> $B$3$s$J46$8!#%3%a%s%H$"$l$P$I$&$>!#(B
> -----
> Matsuzaki Yoshinobu <maz ＠ iij.ad.jp>
>  - IIJ/AS2497  INOC-DBA: 2497*629