Joe Abley wrote: > > On 13-Jun-2007, at 10:09, Jeroen Massar wrote: > >> I have one teeny thing that I think would be worthwhile repeating in >> that document: "Please enable uRPF where possible" as that actually >> already takes care of the most of the problem as packets can't go where >> they are not able to come from. > > Is this not implicit in the various references to RFC2827 and RFC3704?
Yes, but how many people actually implement it? :) It is also why I noted that it might be worthwhile repeating it. Clearly a lot of networks don't do uRPF. It is still possible to spoof from a lot of networks (both IPv4 and IPv6). The most heard reason is that they "can't" because the hardware/software of their routers/AP's don't support it. In a lot of cases it can be enabled, but people simply don't. If a network does do uRPF most RH0 attacks are already resolved as then the router can't send the packet back over the link as the source address is incorrect. As such it is IMHO relevant to mention. I am not requiring or anything near that, that it goes in btw, but I do think it might be a good idea to put in the document just as a reminder for people who don't read the whole chain of documents. Greets, Jeroen
signature.asc
Description: OpenPGP digital signature
-------------------------------------------------------------------- IETF IPv6 working group mailing list ipv6@ietf.org Administrative Requests: https://www1.ietf.org/mailman/listinfo/ipv6 --------------------------------------------------------------------