Folks,
I sent some comments off-list to Mukesh, and he suggested to raise them on the list.
I think the ICMPv6 draft should add some words to raise awareness about ICMP-based attacks that can be performed against transport protocols.
For example, the current draft suggest IPsec, or no checks at all on the received ICMP error mesasges.
As pointed out by Pekka:
By the way, one additional ICMP attack that could possibly be included in 5.2:
6. As the ICMP messages are passed to the upper-layer processes, it is possible to perform attacks on the upper layer protocols (e.g., TCP) with ICMP [TCP-attack]. Protecting the upper layer with IPsec mitigates this problem, though the upper layers may also perform some form of validation of ICMPs on their own.
Where [TCP-attack] is an informative reference to draft-gont-tcpm-icmp-attacks-03.txt.
Another issue that may be worth considering is suggesting that the so-called "hard errors" should not necessarily be considered "hard". While there's no RFC 1122 for IPv6 (and thus you might say there's no such thing as "hard errors" and "soft errors" in v6), I think everyone will extrapolate RFC 1122's statements on soft and hard errors to the ICMPv6 specification.
-- Fernando Gont e-mail: [EMAIL PROTECTED] || [EMAIL PROTECTED]
-------------------------------------------------------------------- IETF IPv6 working group mailing list ipv6@ietf.org Administrative Requests: https://www1.ietf.org/mailman/listinfo/ipv6 --------------------------------------------------------------------
