Hi Mohacsi, Greg, On Tue, 2 Aug 2005 18:48:11 +0200 (CEST) Mohacsi Janos <[EMAIL PROTECTED]> wrote:
> > > > > On Wed, 3 Aug 2005, Mark Smith wrote: > > > Hi Greg, > > > > On Wed, 03 Aug 2005 01:48:42 +1000 > > Greg Daley <[EMAIL PROTECTED]> wrote: > > > >> Hi, > >> > > > > <snip> > > > >> > >> At the moment there's no security for MLD, but the risk is > >> limited to link-local addresses which are not vulnerable to > >> off-link attacks. > >> > > > > Until malware, delivered as an email payload or via a socially > > engineered HTTP download, or some other "higher-than-layer-3/4" method > > takes advantage of that capability to discover nodes, and then do what > > ever it wants to them e.g. DoS them, or "call home" and then act as a > > relay betweem the offsite node and these link-local devices etc. > > > > I don't think the "on-link" limitation is all that much of one > > unfortunately. > > Agree, but we should not destroy this "on-link" limitation... > I also agree with that. One thing I've realised overnight is that most "entities" (animals, miltary, etc.) that use hiding as a security method don't have it as their only security method. They usually use it as a first line of defence, albeit not a very strong one. It might work, and if it does, that's all well and good. If it doesn't, they have at least one or more much more secondary security methods e.g. being able to run away very quickly. Learning from that example, it probably means that while the hiding property of IPv6 addressing is useful, it isn't all that strong a security mechanism, and in particular, shouldn't be the only one relied on. Therefore, while I certainly think we should try to preserve it in Ipv6, we shouldn't necessarily blindly think that if it is somewhat easily overcome (e.g., my example from above), we have a serious problem. Other techniques, such as host based firewalling for example, need to be in place if the hiding measures are overcome. Regards, Mark. -------------------------------------------------------------------- IETF IPv6 working group mailing list ipv6@ietf.org Administrative Requests: https://www1.ietf.org/mailman/listinfo/ipv6 --------------------------------------------------------------------