Pekka Savola wrote: > Undeniably, you can input packets with: > > - link-local source (here: ff80::1) > - link-local destination (here: ff80::2) > - hop limit 255 > > in the tunnel interface.
Not if the tunnel interface consistency check is applied to prevent it. If you don't want to accpet link-local packets over the tunnel you are not required to. Accepting packets through a filter needs to be done for each of the interfaces. If you are willing to accept packets from any IPv4 source, but not any IPv6 source, then you have to recheck the packet once it is decapsulated. > Now, if the router has 'ff80::2' configured as one of it's > pseudo-interface addresses, that address can be reached via tunneling with > hop limit 255 from anywhere. > > See the potential problem here? Yes, the node is reachable using IPv4 from anywhere, and you are trying to make believe that adding IPv6 is somehow a bigger problem. What is the point? If packets can get there via IPv4, the fact that some of them may be encapsulated IPv6 makes no difference. If a node has a policy that packets over the global IPv4 interface go through some firewall process, then the same policy MUST apply to the tunnel interface. If it doesn't the site administrator is brain-dead and deserves what he gets. If your complaint is that a site administrator can't apply grainular policy to a link-local address over a tunnel, you are right and they simply need to block all FE80 addresses on that interface. -------------------------------------------------------------------- IETF IPng Working Group Mailing List IPng Home Page: http://playground.sun.com/ipng FTP archive: ftp://playground.sun.com/pub/ipng Direct all administrative requests to [EMAIL PROTECTED] --------------------------------------------------------------------