A worrisome proposal from the IETF

  • Be sure to checkout “Tips & Tricks”
    Dear Guest Visitor → Once you register and log-in please checkout the “Tips & Tricks” page for some very handy tips!

    /Steve.
  • BootAble – FreeDOS boot testing freeware

    To obtain direct, low-level access to a system's mass storage drives, SpinRite runs under a GRC-customized version of FreeDOS which has been modified to add compatibility with all file systems. In order to run SpinRite it must first be possible to boot FreeDOS.

    GRC's “BootAble” freeware allows anyone to easily create BIOS-bootable media in order to workout and confirm the details of getting a machine to boot FreeDOS through a BIOS. Once the means of doing that has been determined, the media created by SpinRite can be booted and run in the same way.

    The participants here, who have taken the time to share their knowledge and experience, their successes and some frustrations with booting their computers into FreeDOS, have created a valuable knowledgebase which will benefit everyone who follows.

    You may click on the image to the right to obtain your own copy of BootAble. Then use the knowledge and experience documented here to boot your computer(s) into FreeDOS. And please do not hesitate to ask questions – nowhere else can better answers be found.

    (You may permanently close this reminder with the 'X' in the upper right.)

Steve

(as in GRC)
Staff member
Feb 1, 2019
921
1,270
69
Southern CA, USA
www.grc.com
If this was dated April 1st, I'd be less concerned. I am certain that I've seen 127.x.y.z in use where x != 0.

Many on the Internet are in agreement that f**king with 127/8 in any way would be an epic mistake.


It's going to be interesting to see whether this goes anywhere.

A useful Twitter thread is here: https://twitter.com/ollieatnccgroup/status/1460857181906116609
 
  • Like
Reactions: Barry Wallis
When I saw this, I tried to trace a path to 127.1.0.1, which should be routable according to the proposed RFC, from my macOS 12.1 computer. It does not seem my computer even tried to send a frame for it.

I will need to do further testing tonight 😃
 
When I saw this, I tried to trace a path to 127.1.0.1, which should be routable according to the proposed RFC, from my macOS 12.1 computer. It does not seem my computer even tried to send a frame for it.
In the Twitter thread are people who are certain that they've seen firewalls with "127/8 Allow" rules. I cannot see how making this sort of change could possibly be done at this late time. And, BOY! does it demonstrate the real-world reluctance to switch to IPv6!!
 
  • Like
Reactions: Barry Wallis
I feel like they would be smarter to deprecate 127/8 completely, and move it somewhere new. That would allow them to have a window (which would need to be years long) where software could be rewritten to forcefully kill ANY packet to 127/8 so that bugs could be exposed. They could steal 10.127.x.x as the new loopback?
 
In the Twitter thread are people who are certain that they've seen firewalls with "127/8 Allow" rules. I cannot see how making this sort of change could possibly be done at this late time. And, BOY! does it demonstrate the real-world reluctance to switch to IPv6!!
Properly configured firewalls that have 127.0.0.0/8 in a rule, it should be on the loopback interface, typically lo or lo0.
Nothing prevents humans from being humans and doing what they want.

The current OS default routing tables prevent from routing anything 127.0.0.0/8 through to the NIC. So even if the firewall is accepting 127.0.0.0/8 from a non-loopback interface, chances are minimal that anything would match the rule.

Now, the RFC would only apply to up-to-date devices. It would basically create a third tier of Internet (first tier: IPv4, second tier: IPv6), those that understand that 127.1.0.0/16 is Internet-routable… Ooops!
Let's not forget that all the routers will need to be modified to take this change into account, not only home routers or operating system vendors. I don't really see that happening.

------
How I found the system routing tables
I have dug a little bit deeper into it.
(Note: I hid the results of the IPv6 table, as it would reveal parts of the subnet my ISP assigned me. The devices pictures here only run DHCPv4 and DHCPv6 clients for relevant network configuration)

On my Mac, Apple sets a route for the loopback IPv4 subnet, and loopback IPv6 address into the system routing table, on interface lo0. So anything going to those addresses will leave through interface lo0 unless a more preferred route exists.
Screen Shot 2021-11-17 at 23.03.53.png

You can look at macOS's local routing table using: netstat -rn

On Windows Server (and I expect Windows Client to be the same), Microsoft does the same thing, and you currently can't override that route, even if it looks like you can. It will still continue on the internal loopback.
Screen Shot 2021-11-17 at 23.15.33.png

You can look at Windows's local routing table using: route print

And the same on Linux as well, but you need to dig deeper to list the entire routing table.
Screen Shot 2021-11-17 at 23.31.49.png

The command is: ip route show table all
 
Last edited:
I feel like they would be smarter to deprecate 127/8 completely, and move it somewhere new. That would allow them to have a window (which would need to be years long) where software could be rewritten to forcefully kill ANY packet to 127/8 so that bugs could be exposed. They could steal 10.127.x.x as the new loopback?
Why not simply 0.0.0.1/32? It would match exactly the IPv6 loop back address ::1/128 in binary 😁

10.0.0.0/8 is already in use in many (most?) business, so that would quickly become a hurdle.