At Mon, 25 Jun 2007 10:45:35 -0400,
"Hemant Singh (shemant)" <[EMAIL PROTECTED]> wrote:
> Let us summarize the discussion that has taken place so far and issues
> closed.
>
> 1. Technical content - Brian has agreed below that the problem we
> describe is real and we are saying our recommendation to change 2462bis
> I-D does fix this problem. Tatuya still has some issues with our
> problem, but we think till he fixes some typos in his email we cannot
> reply to him. This is what was sent from Tatuya that we think is text
> with typos:
>
> "First, it is not clear which "security problem" this bullet tries to
> indicate. Also, if Host1 is assumed to be the attacker that mounts
> traffic hijacking and/or DoS against Host2, forcing Host2 to perform DAD
> doesn't help because Host1 can get the same result by simply ignoring
> the DAD-NS from Host1."
Yeah, there was a typo. It should actually be:
First, it is not clear which "security problem" this bullet tries to
indicate. Also, if Host1 is assumed to be the attacker that mounts
traffic hijacking and/or DoS against Host2, forcing Host2 to perform DAD
doesn't help because Host1 can get the same result by simply ignoring
the DAD-NS from Host2.
(i.e., replace the final "Host1" with "Host2")
> Tatuya also needs to explain how ignoring DAD from a host is a valid
> implementation of the 2462 standards.
Why should I? I interpreted the bullet as describing Host1 was an
attacker, so it would do anything (whether it's valid or not wrt
standards) to make the attack succeed.
In any event, the main point is that it's not clear (to me) which
"security problem" this draft tries to explain (and how the change in
the specification helps solve or mitigate the "problem").
> Well, if stacks do not skip DAD, then there should be no problem with
> tightening up the language as we've proposed.
I'd rather say that *if* stacks do not skip DAD, then there should be
no problem with leaving the current text as is (remember new
implementations won't skip DAD, so leaving the text won't cause a
problem in the future either). And if so, I'd rather keep it since I
don't see any value in modifying text that has been fully reviewed and
does not actually have any problem.
But I in fact didn't mean all stacks don't skip DAD. I simply
interpreted the following part
> > what he's saying is that the various IPv6
> > implementations around don't run in his lab as well as advertised -
> > the running code doesn't run all that well - and he has some
> > suggestions for Vista Service Pack 1, MacOSX Leopard, Linux, etc.
as indicating MacOSX or Linux do skip DAD and tried to point out it's
not true.
JINMEI, Tatuya
Communication Platform Lab.
Corporate R&D Center, Toshiba Corp.
[EMAIL PROTECTED]
--------------------------------------------------------------------
IETF IPv6 working group mailing list
ipv6@ietf.org
Administrative Requests: https://www1.ietf.org/mailman/listinfo/ipv6
--------------------------------------------------------------------
