IPv4 multicast should probably be implicitly blacklisted #168
Comments
|
Yet another argument in favor of #140. Once traffic intended to be translated has to be manually routed towards Jool, it will naturally stop seeing link-local traffic. As a workaround, 224.0.0.0 |
Correct. So this is just a suggestion, it doesn't cause me any operational problems in any way. |
I'm only adding the 224.0.0.0/24 blacklist. I still gotta check whether other similar ranges should also be ignored.
|
Tore Anderson [email protected] wrote: I can't see a good reason to translate class D addresses (multicast). |
Don't worry; those are already blacklisted. This is the relevant code.
Well, since they are experimental, I don't think we should completely ban the user from doing whatever with them. They can always be manually blacklisted if use cases or security implications arise. |
1. There are separate pool4s now for protocols TCP, UDP and ICMP. 2. Applied #168 to this branch (because the blacklist is implemented differently). 3. ICMP errors reporting incorrect MTUs during fragmentation neededs/packet too bigs.
ydahhrk
added
Bug
Can be improved by #140
Merged (needs release)
and removed
Merged (needs release)
labels
|
The code blacklists 224.0.0.0/4 But this documentation doesn't mention that range can't be used: |
|
Fixed; thank you! |
I've noticed that Jool will happily by default translate traffic destined for multicast addresses. Here's an example showing a VRRP packet being translated:
RFC 6052 is silent on the subject of multicast, while RFC 6145 says:
The last sentence there makes me think that IPv4 multicast (224.0.0.0/4) should probably be implicitly blacklisted. At the very least, IPv4 multicast addresses which the local node has subscribed to should be - there's some application running on the Jool node that's interested in those packets; Jool shouldn't steal them.
The text was updated successfully, but these errors were encountered: