Hi Ole, Thanks for the comments.
Can you point me to a document which tells of the generic check at the decapsulator, which states what you said (the decapsulator checking in the decapsulated packet is an ND message and not processing it further)? BTW, an ND message as Pekka stated earlier can be sent over a tunnel. "The ND packet is not forwarded outside of the link" I know in the RFC4213, "Security consideration section", we state less generically what I have stated below. Thanks again, Vishwas -----Original Message----- From: Ole Troan [mailto:[EMAIL PROTECTED] Sent: Monday, November 28, 2005 11:55 AM To: Vishwas Manral Cc: Stig Venaas; IPv6 Subject: Re: draft-ietf-ipv6-2461bis-05 Vishwas, > You said "There is no difference between a tunnel link and any other > link media I think." > > That is the exact issue in my case for ND messages. If we just send a > packet tunneled, the TTL check for ND messages fails as we can send a > packet from multiple hops away by just adding another layer of > encapsulation. the ND hop limit check does not fail. the ND packet is not forwarded outside of the link. the tunnel link that is. > That is the reason I suggested the text "The default behavior SHOULD be > to not allow ND packets over tunnels, unless explicitly so configured." I disagree with this proposal. /ot -------------------------------------------------------------------- IETF IPv6 working group mailing list ipv6@ietf.org Administrative Requests: https://www1.ietf.org/mailman/listinfo/ipv6 --------------------------------------------------------------------
