A worrisome proposal from the IETF

  • Be sure to checkout “Tips & Tricks”
    Dear Guest Visitor → Once you register and log-in:

    This forum does not automatically send notices of new content. So if, for example, you would like to be notified by mail when Steve posts an update to his blog (or of any other specific activity anywhere else), you need to tell the system what to “Watch” for you. Please checkout the “Tips & Tricks” page for details about that... and other tips!

    /Steve.

Steve

(as in GRC)
Staff member
Feb 1, 2019
377
1
1,000
66
Southern CA, USA
www.grc.com
If this was dated April 1st, I'd be less concerned. I am certain that I've seen 127.x.y.z in use where x != 0.

Many on the Internet are in agreement that f**king with 127/8 in any way would be an epic mistake.


It's going to be interesting to see whether this goes anywhere.

A useful Twitter thread is here: https://twitter.com/ollieatnccgroup/status/1460857181906116609
 
  • Like
Reactions: Barry Wallis

EdwinG

Well-known member
Sep 24, 2020
53
15
When I saw this, I tried to trace a path to 127.1.0.1, which should be routable according to the proposed RFC, from my macOS 12.1 computer. It does not seem my computer even tried to send a frame for it.

I will need to do further testing tonight 😃
 

Steve

(as in GRC)
Staff member
Feb 1, 2019
377
1
1,000
66
Southern CA, USA
www.grc.com
When I saw this, I tried to trace a path to 127.1.0.1, which should be routable according to the proposed RFC, from my macOS 12.1 computer. It does not seem my computer even tried to send a frame for it.
In the Twitter thread are people who are certain that they've seen firewalls with "127/8 Allow" rules. I cannot see how making this sort of change could possibly be done at this late time. And, BOY! does it demonstrate the real-world reluctance to switch to IPv6!!
 
  • Like
Reactions: Barry Wallis

PHolder

Well-known member
Sep 16, 2020
764
2
359
Ontario, Canada
I feel like they would be smarter to deprecate 127/8 completely, and move it somewhere new. That would allow them to have a window (which would need to be years long) where software could be rewritten to forcefully kill ANY packet to 127/8 so that bugs could be exposed. They could steal 10.127.x.x as the new loopback?
 

EdwinG

Well-known member
Sep 24, 2020
53
15
In the Twitter thread are people who are certain that they've seen firewalls with "127/8 Allow" rules. I cannot see how making this sort of change could possibly be done at this late time. And, BOY! does it demonstrate the real-world reluctance to switch to IPv6!!
Properly configured firewalls that have 127.0.0.0/8 in a rule, it should be on the loopback interface, typically lo or lo0.
Nothing prevents humans from being humans and doing what they want.

The current OS default routing tables prevent from routing anything 127.0.0.0/8 through to the NIC. So even if the firewall is accepting 127.0.0.0/8 from a non-loopback interface, chances are minimal that anything would match the rule.

Now, the RFC would only apply to up-to-date devices. It would basically create a third tier of Internet (first tier: IPv4, second tier: IPv6), those that understand that 127.1.0.0/16 is Internet-routable… Ooops!
Let's not forget that all the routers will need to be modified to take this change into account, not only home routers or operating system vendors. I don't really see that happening.

------
How I found the system routing tables
I have dug a little bit deeper into it.
(Note: I hid the results of the IPv6 table, as it would reveal parts of the subnet my ISP assigned me. The devices pictures here only run DHCPv4 and DHCPv6 clients for relevant network configuration)

On my Mac, Apple sets a route for the loopback IPv4 subnet, and loopback IPv6 address into the system routing table, on interface lo0. So anything going to those addresses will leave through interface lo0 unless a more preferred route exists.
Screen Shot 2021-11-17 at 23.03.53.png

You can look at macOS's local routing table using: netstat -rn

On Windows Server (and I expect Windows Client to be the same), Microsoft does the same thing, and you currently can't override that route, even if it looks like you can. It will still continue on the internal loopback.
Screen Shot 2021-11-17 at 23.15.33.png

You can look at Windows's local routing table using: route print

And the same on Linux as well, but you need to dig deeper to list the entire routing table.
Screen Shot 2021-11-17 at 23.31.49.png

The command is: ip route show table all
 
Last edited:

EdwinG

Well-known member
Sep 24, 2020
53
15
I feel like they would be smarter to deprecate 127/8 completely, and move it somewhere new. That would allow them to have a window (which would need to be years long) where software could be rewritten to forcefully kill ANY packet to 127/8 so that bugs could be exposed. They could steal 10.127.x.x as the new loopback?
Why not simply 0.0.0.1/32? It would match exactly the IPv6 loop back address ::1/128 in binary 😁

10.0.0.0/8 is already in use in many (most?) business, so that would quickly become a hurdle.