Hi Jinmei,
I agree the RPF check mitigates a few issues (as the IP source address
should be upsteam on the same port from which a multicast packet came
in).
However this still leaves room for attacks upstream from any router
downstream in the Multicast tree. However the amplification factor
that can be got from such an attack can be multiple times more than
the routing header amplification attack. Also I am unsure, but if we
can tunnel such multicast packets, then we get over the whole factor
of RPF, by being able to send a packet from anywhere on the internet.
However if the concensus is that the issue is not very practical in
live networks then I will just drop the discussion here.
Thanks,
Vishwas
On 5/30/07, JINMEI Tatuya / 神明達哉 <[EMAIL PROTECTED]> wrote:
At Tue, 29 May 2007 17:40:31 -0700,
"Vishwas Manral" <[EMAIL PROTECTED]> wrote:
> I guess we understand the issues well. Do we think it is important
> enough to deprecate the option or not?
No. If you really understood what Pekka pointed out, I don't simply
understand in which point you thought it is "important". Could you
describe exactly how this causes a problem even if routers perform the
RPF check correctly (which I believe can be reasonable assumed)?
JINMEI, Tatuya
Communication Platform Lab.
Corporate R&D Center, Toshiba Corp.
[EMAIL PROTECTED]
--------------------------------------------------------------------
IETF IPv6 working group mailing list
ipv6@ietf.org
Administrative Requests: https://www1.ietf.org/mailman/listinfo/ipv6
--------------------------------------------------------------------
