-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Jyrki Soini wrote:
> I sent a comment to ICMPv6 update draft during IETF meeting > and received a few comments but not quite a discussion. Here is somewhat extreme > example of the DoS attack vulnerability I'm worried about: > > Imagine, one day man is landing on Mars and real-time video is > multicasted on Internet. There are 100 million listeners on the > group. I like this idea, especially the part where 100 million users are using IPv6 ;) <SNIP > I see two alternatives to limit the Echo Reply to multicast packet > problem: > 1. Limit Echo Reply packet to only be allowed on link-scope multicast > echo requests. > 2. Require that hop-limit is set to for instance value 1 for the > Echo Reply packet. <SNIP> > Perhaphs in practice the hop-limit could be somewhat bigger > than 1 without real problems? I would suggest that the default hoplimit for these kind of ICMP's gets set to 1 but that it is configurable in cases where the ISP knows the size of their multicast network. In an ideal solution it would be only the hops of a maximum of 2 AS's. In light of the above and debugging multicast wouldn't it be a good idea to revive and implement mtrace, eg as in: http://archive.dante.net/mbone/refs/draft-ietf-idmr-traceroute-ipm-07.txt But then for IPv6? Greets, Jeroen -----BEGIN PGP SIGNATURE----- Version: Unfix PGP for Outlook Comment: Jeroen Massar / http://unfix.org/~jeroen/ iQBGBAERAgAQCRApqihSMz58IwUCQEy8ngAAVlYAn2N4aqJu7SfQIyb5e6Lh/Ka0 6iQWAKCznpaI+nNNUnBEPMzLAzTqZyED+g== =GlD7 -----END PGP SIGNATURE----- -------------------------------------------------------------------- IETF IPv6 working group mailing list [EMAIL PROTECTED] Administrative Requests: https://www1.ietf.org/mailman/listinfo/ipv6 --------------------------------------------------------------------