At 10:53 09/03/2005 -0600, [EMAIL PROTECTED] wrote:
As discussed in the IPv6 WG meeting yesterday, I am planning to replace sub-sections (b), (c) and (d) of section 2.2 in the draft with the following text:
======================================= (b) If the message is a response to a message sent to any other address, such as - a multicast group address, - an anycast address implemented by the node, or - a unicast address which does not belong to the node the Source Address of the ICMPv6 packet MUST be a unicast address belonging to the node. The address SHOULD be chosen according to the rules which would used to select the source address for any other packet originated by the node, given the destination address of the packet, but MAY be selected in an alternative way if this would lead to a more informative choice of address which is reachable from the destination of the ICMPv6 packet. =======================================
Unless I'm missing something this change makes it more probably that the source address of the ICMP be different than the destination IP address of the packet that elicited it.
Suppose an ICMP error refers to a TCP connection I have established with a remote peer. With this modifications to the ICMPv6 draft, I could no longer require ICMP messages to have the same source address that is being used for the TCP connection.
As a result, an attacker would not need to forge the source address of ICMPv6 messages for them to be passed to the corresponding transport protocol instance, and thus simple egress-filtering would not server as a counter-measure against ICMP-based attacks.
Let me know if I am missing something.
Thanks!
-- Fernando Gont e-mail: [EMAIL PROTECTED] || [EMAIL PROTECTED]
-------------------------------------------------------------------- IETF IPv6 working group mailing list ipv6@ietf.org Administrative Requests: https://www1.ietf.org/mailman/listinfo/ipv6 --------------------------------------------------------------------
