[e2e] It's all my fault

David P. Reed dpreed at reed.com
Sat May 12 11:40:58 PDT 2007


Jari - Implementors who remove or disable source routing are (in my 
opinion, of course) taking matters into their own hands on the basis of 
a misguided theory that source routing *causes* denial of service.  
Source routing is a standard, and was not included in the standard as a 
"mistake" (either in IPv4 or in IPv6).  It was included as a useful 
tool.  It was intended that end users would be able to use it.  Blocking 
end users from using it is vigilante action.

That would be appropriate if source routing were a bad idea.  It is 
not.   It is a tool, which can be misused.   Removing screwdrivers from 
the workbench because they can be used to stab people through the eye is 
the same sort of logic.

There is a rather nice analysis of the utility of source routing that 
Jerry Saltzer and I wrote many years ago.   We did not invent the idea - 
Dave Farber used it prior to that.   And source routing is a well 
understood routing technique taught in the literature.

Regarding Bush's point about "amelioration" of source routing's 
effects.   Source routing does not have effects.   Denial of service 
attacks have effects.   I am happy to talk about amelioration of denial 
of service attacks.  

Regarding Paul Vixie - I rarely speak out against people, mostly going 
after their ideas.  But Vixie has a track record.   He is one of the 
inventors, apologists, and promoters of aggressive spam blackhole lists: 
holding non-offenders by the thousands accountable for the actions of a 
few spammers.   I and many others have been held hostage by having our 
email blocked by his "blackhole vigilantes".   He has never apologized 
for it.   I personally think he could be sued for millions of dollars of 
lost work and aggravation.

Your mileage may vary. 

Jari Arkko wrote:
> Randy, David,
>
>   
>> it would be considerably more helpful if, instead of ad homina and
>> vituperation, you actually spoke to the rh0 security issues and possible
>> approaches to mitigation as a technical and engineering problem.
>>   
>>     
>
> Indeed.
>
> Implementors have largely already done the right thing
> already earlier or else released patches in recent weeks.
> We are also dealing with the removal/disable of RH0 in the
> IPv6 WG list discussion. Other parts of the protocol stack
> that needed something like routing header have already
> years ago been designed to do something safe instead of
> RH0.
>
> My advice: if you have something to say about the way
> which we should disable RH0, go to the IPv6 list. Or if
> you can, apply a patch in your company's products or
> networks. Or apply your energy in figuring out what
> other vulnerabilities we have in our stacks; there's
> plenty of work in this space...
>
> Jari
>
>
>   


More information about the end2end-interest mailing list