Eliot Lear <lear@ofcourseimright.com> wrote:
> In 2008, Vince Fuller, Dave Meyer, and I put together
> draft-fuller-240space, and we presented it to the IETF. There were
> definitely people who thought we should just try to get to v6, but
> what really stopped us was a point that Dave Thaler made: unintended
> impact on non-participating devices, and in particular CPE/consumer
> firewall gear, and at the time there were serious concerns about some
> endpoint systems as well.
I was not in this part of IETF in those days, so I did not participate
in those discussions. But I later read them on the archived mailing
list, and reached out by email to Dave Thaler for more details about his
concerns. He responded with the same general issues (and a request that
we and everyone else spend more time on IPv6). I asked in a subsequent
message for any details he has about such products that he thought would
fail. He was unable or unwilling to point out even a single operating
system, Internet node type, or firewall product that would fail unsafely
if it saw packets from the 240/4 range.
As documented in our Internet-Draft, all such products known to us
either accept those packets as unicast traffic, or reject such packets
and do not let them through. None crashes, reboots, fills logfiles with
endless messages, falls on the floor, or otherwise fails. No known
firewall is letting 240/4 packets through on the theory that it's
perfectly safe because every end-system will discard them.
As far as I can tell, what Eliot says really stopped this proposal in
2008 was Dave's hand-wave of *potential* concern, not an actual
documented problem with the proposal.
If anyone knows an *actual* documented problem with 240/4 packets,
please tell us!
(And as I pointed out subsequently to Dave, if any nodes currently in
service would *actually* crash if they received a 240/4 packet, that's a
critical denial of service issue. For reasons completely independent
from our proposal, those machines should be rapidly identified and
patched, rather than remaining vulnerable from 2008 thru 2021 and
beyond. It would be trivial for an attacker to send such
packets-of-death from any Linux, Solaris, Android, MacOS, or iOS machine
that they've broken into on the local LAN. And even Windows machines
may have ways to send raw Ethernet packets that could be crafted by
an attacker to appear to be deadly IPv4 240/4 packets.)
John
> In 2008, Vince Fuller, Dave Meyer, and I put together
> draft-fuller-240space, and we presented it to the IETF. There were
> definitely people who thought we should just try to get to v6, but
> what really stopped us was a point that Dave Thaler made: unintended
> impact on non-participating devices, and in particular CPE/consumer
> firewall gear, and at the time there were serious concerns about some
> endpoint systems as well.
I was not in this part of IETF in those days, so I did not participate
in those discussions. But I later read them on the archived mailing
list, and reached out by email to Dave Thaler for more details about his
concerns. He responded with the same general issues (and a request that
we and everyone else spend more time on IPv6). I asked in a subsequent
message for any details he has about such products that he thought would
fail. He was unable or unwilling to point out even a single operating
system, Internet node type, or firewall product that would fail unsafely
if it saw packets from the 240/4 range.
As documented in our Internet-Draft, all such products known to us
either accept those packets as unicast traffic, or reject such packets
and do not let them through. None crashes, reboots, fills logfiles with
endless messages, falls on the floor, or otherwise fails. No known
firewall is letting 240/4 packets through on the theory that it's
perfectly safe because every end-system will discard them.
As far as I can tell, what Eliot says really stopped this proposal in
2008 was Dave's hand-wave of *potential* concern, not an actual
documented problem with the proposal.
If anyone knows an *actual* documented problem with 240/4 packets,
please tell us!
(And as I pointed out subsequently to Dave, if any nodes currently in
service would *actually* crash if they received a 240/4 packet, that's a
critical denial of service issue. For reasons completely independent
from our proposal, those machines should be rapidly identified and
patched, rather than remaining vulnerable from 2008 thru 2021 and
beyond. It would be trivial for an attacker to send such
packets-of-death from any Linux, Solaris, Android, MacOS, or iOS machine
that they've broken into on the local LAN. And even Windows machines
may have ways to send raw Ethernet packets that could be crafted by
an attacker to appear to be deadly IPv4 240/4 packets.)
John
