At 13:57 11/04/2005 -0500, [EMAIL PROTECTED] wrote:
I agree that we should add some words to raise awareness about the ICMP-based attacks. We could add the text that Pekka suggested in the security consideration section and provide an informative reference to your draft.
That'd be a good thing.
I don't think the ICMP draft should go in details of how a transport protocol should protect itself against these attacks. I think, it will be a good idea to write separate drafts for those details.
I didn't mean we should provide details on how transport protocols should react to ICMP errors. I just suggested that the ICMPv6 draft should recommend transport protocols to use the information contained in the payload to validate the ICMP messages (but don't say a word about the actual checks), and also that it would be great if it provided a few words about what the ICMP error types/codes mean.
If left "as is", people will extrapolate the RFC 1122 description to ICMPv6.
I just say that adding something like "these error codes do not necessarily indicate hard errors". That little sentence would mean the discussion of ICMP in RFC 1122 does not necessarily apply to ICMPv6.
BTW, (closely related to this thread), this was released yesterday:
* Cisco's vulnerability report http://www.cisco.com/warp/public/707/cisco-sa-20050412-icmp.shtml
* CERT/CC's vulnerability report http://www.kb.cert.org/vuls/id/222750
* NISCC's vulnerability report http://www.niscc.gov.uk/niscc/docs/re-20050412-00303.pdf?lang=en
-- Fernando Gont e-mail: [EMAIL PROTECTED] || [EMAIL PROTECTED]
-------------------------------------------------------------------- IETF IPv6 working group mailing list ipv6@ietf.org Administrative Requests: https://www1.ietf.org/mailman/listinfo/ipv6 --------------------------------------------------------------------