Greg Daley wrote:
I'm concerned that if there is a way to find out all the nodes on a link, that this information may be used (by the querier, or another device) to cause remote flooding attacks onto a network, or to particular otherwise unmodified hosts.
That is the case if a remote node can do the discovery operation. But if the discovery operation is limited to nodes on the link, then we don't have the "remote" concern.
I think that might be a reasonable middle ground. It would still make it harder than in IPv4 to explore all hosts, yet one can have e.g. SNMP access to a local agent on the link that provide this (with appropriate SNMP security) to allow remote management.
Elsewhere I've run into the management need to find a particular host from knowing only its MAC address. The suggestion to have INVARP would help with that subproblem.
Erik -------------------------------------------------------------------- IETF IPv6 working group mailing list ipv6@ietf.org Administrative Requests: https://www1.ietf.org/mailman/listinfo/ipv6 --------------------------------------------------------------------