> ... I spoke to the NOC about it, and found out that they had only > allocated enough address space for 256 hosts, and there were well over 300 > people in the room, many of whom were knowledgable networking researchers. > Somebody was ARP spoofing, stealing addresses because not enough had been > allocated. ARP spoofing is one of the threats SEND is designed to counter, > so if IPv6/SEND had been deployed, this attack would not have been > possible.
If IPv6 had been deployed, the router would have announced a /64, and there would have been addresses available for everybody... > ... (and this is a particular problem for 802.11 > because the management frames are completely unprotected). The spoofer > cannot, however, claim frames holding packets having your IP address if > SEND > is used, because the mapping is protected. The mapping is protected but, unless the network implements 802.1X and negotiates different keys for each station, the attacker has no difficulty getting a copy of your packets, or sending packets from a spoofed MAC address. Don't get me wrong, I like SEND. My point was just that if we allow "transparent" bridges at all, then we essentially allow the same man-in-the-middle attacks that are also possible with ND proxy. -- Christian Huitema -------------------------------------------------------------------- IETF IPv6 working group mailing list ipv6@ietf.org Administrative Requests: https://www1.ietf.org/mailman/listinfo/ipv6 --------------------------------------------------------------------
