Jari Arkko wrote: > ... > The difference is that when we speak about routing-related > attacks, a modification of a header can be done by MitMs, > but if the MitMs change the addresses, the whole attack > is changed. For instance, if the intent of the attack was > to install a BCE at www.cnn.com for my laptop's traffic to > be directed somewhere else, changing the address results in > the BCE entry being installed for someone else. I.e., an > attacker can't redirect my traffic anywhere. Similarly, > if stationary nodes have the 'don't accept RR' bit on then > they will not be vulnerable to any MIPv6 based attacks. > Given the absurdity of this claim you clearly don't understand the power of MitM. There is nothing that directs traffic 'somewhere else', because the bit being flipped will be routed to the same wire as the original address. Since the MitM is capable of flipping the bit off in the src, it can bid down the association, then on the return traffic it can flip the bit back on in the dst. If the CN really cares about verifying an address (which it should for any BU), it has a mechanism in the CGA to check. A bit didn't help make that easier.
Tony -------------------------------------------------------------------- IETF IPng Working Group Mailing List IPng Home Page: http://playground.sun.com/ipng FTP archive: ftp://playground.sun.com/pub/ipng Direct all administrative requests to [EMAIL PROTECTED] --------------------------------------------------------------------
