I keep hoping that this thread will end but it doesn't :) I'm sure we'll all miss this! comments below
> On Thu, 31 Oct 2002, Margaret Wasserman wrote: > > >BGP is not the point. Consider e.g.: > > > > > >[attacker] --- [internet] ---- [ISP] --- [customer w/ > site locals] > > > > > >Now the attacker can send packets with a fec0::/10 > source address to the > > >customer -- no one will block them unless they're > explicitly configured as > > >site borders -- before the customer itself. And if the > customer does not > > >block them, we're in for very serious trouble. > > > > Far be it from me to argue the other side in this debate, but... > > > > I agree that the packet with a site-local source would get > > through to the customer's site. But, what serious trouble > > would this cause? > > > > This would only cause trouble, I guess, if the customer's > > system attributes some special security status to packets > > that appear to come _from_ a site-local address, which would > > be quite inadvisable. > > The whole point (or a big portion of it..) of the "security > benefit" of > site-local addresses comes from the added trust given to site-local > addresses (which by the site's definition, are only > reachable from inside > the site). => Pekka, if all the ISP's between the client in your picture and the detination are stupid enough to not ingress filter the SL source, AND the end site is equally as incompetent, then yes, your client will get there. He will never get anything back though. I'm sorry but I don't see this as a realistic or serious issue. Hesham -------------------------------------------------------------------- IETF IPng Working Group Mailing List IPng Home Page: http://playground.sun.com/ipng FTP archive: ftp://playground.sun.com/pub/ipng Direct all administrative requests to [EMAIL PROTECTED] --------------------------------------------------------------------
