On Thu, 5 Jan 2006, Brian Haberman wrote:
Some text seems to have been added to the draft that I don't remember being discussed here. The diff is:node MAY be configured to discard NI Queries to multicast addresses other than its NI Group Address(es) but if so, - the default configuration MUST be not to discard them. + the default configuration SHOULD be not to discard them. An + exception is made in the previous rule in the case of the All-Routers + (FF02::2) and All-Nodes (FF02::1) multicast addresses. The default + configuration for responding to NI Queries to these multicast + addresses MUST be to discard them. All-nodes is one of the most useful addresses to send a node information query to. If you are trying to find a newly configured bit of kit you've just plugged in you'll query the all nodes address and see if it responds with a recognisable name. Requiring that nodes do not respond by default makes this far less useful.This change was made to address DoS concerns raised with having the default behavior to respond to queries to the All-Nodes address. Some people have argued that allowing nodes to respond in this case simplifies an attacker's ability to map out a victim network.
...
Do others have concerns with the document as it is?
Yes. I completely agree with David on this. A NIQ to the link-local all-hosts or all-routers group is a very useful feature (maybe even the most useful for ICMP NIQ), and I don't think it's good to forbid that.
It doesn't even really give much security. If you have access to the link, you can pretty much observe which nodes are on the link anyway using dozens of mechanisms such as:
- pinging all-routers/all-hosts mcast address and then sending individual NIQ's - looking at the ND packets that fly by - etc. -- Pekka Savola "You each name yourselves king, yet the Netcore Oy kingdom bleeds." Systems. Networks. Security. -- George R.R. Martin: A Clash of Kings -------------------------------------------------------------------- IETF IPv6 working group mailing list ipv6@ietf.org Administrative Requests: https://www1.ietf.org/mailman/listinfo/ipv6 --------------------------------------------------------------------
