> >On Wed, May 16, 2007 at 03:54:48PM -0700, Dow Street wrote:
> >> I think the new draft is too extreme in its mitigation approach, and
> >> would favor the "disable by default" option instead.
> >
> >I think the new draft is too soft in it's mitigation approach, and would
> >favour language that more strongly encourages filtering rthdr0 on the
> >forwarding path for all routers.
>
> I think deprecation of RH0 along with BCP 38/84 ingress filtering on the edge
> would be effective in limiting attacks to internal networks.
you know what, too much ingress filtering without rthdr2 support (MIP6
home address option) would kill MIP6 at once. MIP6 people will not
be happy about it, i guess.
so my take is there are only two stopgap measure:
- max value for hoplimit is 255
- packets with routing header (regardless from rthdr0 or rthdr2)
goes into slow path, so packets with rthdr0 *without DDoS* would not
be able to saturate US-JP link
itojun2.0
--------------------------------------------------------------------
IETF IPv6 working group mailing list
ipv6@ietf.org
Administrative Requests: https://www1.ietf.org/mailman/listinfo/ipv6
--------------------------------------------------------------------
