>> This ambiguity creates chances to malicious party to trick victim nodes.
>> Here are a couple of examples:
>How are these any different than with IPv4? I can send bad source
>addresses in IPv4 just as easily as in IPv6. IPv6 might even make it
>easier to do, e.g., reverse-path filtering (less prefixes to worry
>about).
the key difference is that it may be possible to circumvent IPv4
filters by using IPv4 mapped address (= IPv6 address like
::ffff:1.2.3.4). the problem is in additional complexity due to
the interaction between IPv4 packet and IPv6 API/packet.
>Any kernel that takes a packet saying it is from the local host
>off the wire is broken.
>Any firewall that allows through a packet from the Internet saying
>it is from the LAN is broken.
i agree with these, but some of the specifications (like SIIT)
assume the use of IPv4 mapped address on wire, making it harder
for firewalls/hosts to deal with bad addresses.
itojun
