> Well, this brings up the reason why I asked for clarification. I need to spend some time getting back up to speed with DNA, as that work is complimentary piece of this puzzle. Let me defer responding to your point until later. > > Likewise, an Optimistic node can still inject IP packets into the > > Internet that will in effect be "spoofed" packets appearing to come > > from the legitimate node. In some cases, those packets may lead to > > errors or other operational problems, though one would expect that > > upper layer protocols would generally treat such packets robustly, > > in the same way they must treat old and other duplicate packets. > >
> It is true that an Optimistic attacker can do this, but, really, can't any > IPv6 node do it? An attacking node doesn't have to do DAD, it could simply > come on the link and start sending packets to the Internet with whatever > address it wants. It might not get anything back, of course, since any > response will get sent to the legitimate owner of the address. I think the key difference is that nodes running optimistic DAD may end up spoofing traffic, even though they are following the spec and are "good" nodes. I.e, there is no ill-intent, as is the case with attacking nodes. So we may end up seeing such events even in cases where there are no "attackers". Thomas -------------------------------------------------------------------- IETF IPv6 working group mailing list ipv6@ietf.org Administrative Requests: https://www1.ietf.org/mailman/listinfo/ipv6 --------------------------------------------------------------------
