On Thu, Jan 05, 2006 at 08:40:23AM -0500, Brian Haberman wrote: > This change was made to address DoS concerns raised with having > the default behavior to respond to queries to the All-Nodes address.
Echo requests already have this problem. I have a feeling that it makes no sense to drop queries to ff02::1 unless you also do the same for all other ICMP types that require a response. > Some people have argued that allowing nodes to respond in this > case simplifies an attacker's ability to map out a victim network. Currently to get a list of names I issue NI queries by using: ping6 -w ff02::1 I get the answer in 1+N packets. After this change to the draft I do this: ping6 ff02::1 > responders for $addr in `cat responders`; do; ping6 -w $addr ; done Now I have the same list of names, I've just had to use 1+3N packets That won't deter any attacker, but makes the life harder for the person who actually wants to use NI queries for some legitimate reason. Maybe all this has been covered in a discussion somewhere already? I did spend a while searching for such a discussion, but didn't turn up anything useful. > The change in multicast addresses was introduced to conform to RFC > 3307. Yes - though I thought part of Ron's motivation for the change was to avoid sending NI queries to hosts that didn't want them. Regardless, I'm OK with changing the multicast address range as long as it is still possible to query ff02::1. > The primary goal of this work is to document what has already been > implemented. Making the change to the multicast address was discussed > with people who have already implemented the protocol to ensure it > would not be a big impact. Eliminating hashed name lookups would > make this protocol a new protocol (in my opinion at least). Changing the multicast range or eliminating hashed name lookups would be easy implementation changes I guess. I'm just trying to consider the usability of the protocol, which doesn't have much to do with how hard it is to implement. David. -------------------------------------------------------------------- IETF IPv6 working group mailing list ipv6@ietf.org Administrative Requests: https://www1.ietf.org/mailman/listinfo/ipv6 --------------------------------------------------------------------