On Thu, 31 Oct 2002, Margaret Wasserman wrote: > >BGP is not the point. Consider e.g.: > > > >[attacker] --- [internet] ---- [ISP] --- [customer w/ site locals] > > > >Now the attacker can send packets with a fec0::/10 source address to the > >customer -- no one will block them unless they're explicitly configured as > >site borders -- before the customer itself. And if the customer does not > >block them, we're in for very serious trouble. > > Far be it from me to argue the other side in this debate, but... > > I agree that the packet with a site-local source would get > through to the customer's site. But, what serious trouble > would this cause? > > This would only cause trouble, I guess, if the customer's > system attributes some special security status to packets > that appear to come _from_ a site-local address, which would > be quite inadvisable.
The whole point (or a big portion of it..) of the "security benefit" of site-local addresses comes from the added trust given to site-local addresses (which by the site's definition, are only reachable from inside the site). -- Pekka Savola "Tell me of difficulties surmounted, Netcore Oy not those you stumble over and fall" Systems. Networks. Security. -- Robert Jordan: A Crown of Swords -------------------------------------------------------------------- IETF IPng Working Group Mailing List IPng Home Page: http://playground.sun.com/ipng FTP archive: ftp://playground.sun.com/pub/ipng Direct all administrative requests to [EMAIL PROTECTED] --------------------------------------------------------------------