Hi Jinmei, I agree the RPF check mitigates a few issues (as the IP source address should be upsteam on the same port from which a multicast packet came in).
However this still leaves room for attacks upstream from any router downstream in the Multicast tree. However the amplification factor that can be got from such an attack can be multiple times more than the routing header amplification attack. Also I am unsure, but if we can tunnel such multicast packets, then we get over the whole factor of RPF, by being able to send a packet from anywhere on the internet. However if the concensus is that the issue is not very practical in live networks then I will just drop the discussion here. Thanks, Vishwas On 5/30/07, JINMEI Tatuya / 神明達哉 <[EMAIL PROTECTED]> wrote:
At Tue, 29 May 2007 17:40:31 -0700, "Vishwas Manral" <[EMAIL PROTECTED]> wrote: > I guess we understand the issues well. Do we think it is important > enough to deprecate the option or not? No. If you really understood what Pekka pointed out, I don't simply understand in which point you thought it is "important". Could you describe exactly how this causes a problem even if routers perform the RPF check correctly (which I believe can be reasonable assumed)? JINMEI, Tatuya Communication Platform Lab. Corporate R&D Center, Toshiba Corp. [EMAIL PROTECTED]
-------------------------------------------------------------------- IETF IPv6 working group mailing list ipv6@ietf.org Administrative Requests: https://www1.ietf.org/mailman/listinfo/ipv6 --------------------------------------------------------------------