On Thu, Jan 05, 2006 at 08:40:23AM -0500, Brian Haberman wrote:
> This change was made to address DoS concerns raised with having
> the default behavior to respond to queries to the All-Nodes address.
Echo requests already have this problem. I have a feeling that it
makes no sense to drop queries to ff02::1 unless you also do the
same for all other ICMP types that require a response.
> Some people have argued that allowing nodes to respond in this
> case simplifies an attacker's ability to map out a victim network.
Currently to get a list of names I issue NI queries by using:
ping6 -w ff02::1
I get the answer in 1+N packets. After this change to the draft I
do this:
ping6 ff02::1 > responders
for $addr in `cat responders`; do; ping6 -w $addr ; done
Now I have the same list of names, I've just had to use 1+3N packets
That won't deter any attacker, but makes the life harder for the
person who actually wants to use NI queries for some legitimate
reason.
Maybe all this has been covered in a discussion somewhere already?
I did spend a while searching for such a discussion, but didn't
turn up anything useful.
> The change in multicast addresses was introduced to conform to RFC
> 3307.
Yes - though I thought part of Ron's motivation for the change was
to avoid sending NI queries to hosts that didn't want them. Regardless,
I'm OK with changing the multicast address range as long as it is
still possible to query ff02::1.
> The primary goal of this work is to document what has already been
> implemented. Making the change to the multicast address was discussed
> with people who have already implemented the protocol to ensure it
> would not be a big impact. Eliminating hashed name lookups would
> make this protocol a new protocol (in my opinion at least).
Changing the multicast range or eliminating hashed name lookups
would be easy implementation changes I guess. I'm just trying to
consider the usability of the protocol, which doesn't have much
to do with how hard it is to implement.
David.
--------------------------------------------------------------------
IETF IPv6 working group mailing list
ipv6@ietf.org
Administrative Requests: https://www1.ietf.org/mailman/listinfo/ipv6
--------------------------------------------------------------------
