Brian, > -----Original Message----- > From: Brian E Carpenter [mailto:brian.e.carpen...@gmail.com] > Sent: Friday, September 11, 2009 6:27 PM > To: Templin, Fred L > Cc: v6ops; Christian Huitema; ipv6@ietf.org; sec...@ietf.org > Subject: Re: Routing loop attacks using IPv6 tunnels > > On 2009-09-12 11:12, Templin, Fred L wrote: > > Brian, > > > >> -----Original Message----- > >> From: Brian E Carpenter [mailto:brian.e.carpen...@gmail.com] > >> Sent: Friday, September 11, 2009 4:06 PM > >> To: Templin, Fred L > >> Cc: Christian Huitema; v6ops; ipv6@ietf.org; sec...@ietf.org > >> Subject: Re: Routing loop attacks using IPv6 tunnels > >> > >> On 2009-09-12 09:13, Templin, Fred L wrote: > >> > >> (much text deleted) > >> > >>> Otherwise, the best solution IMHO > >>> would be to allow only routers (and not hosts) on the > >>> virtual links. > >> This was of course the original intention for 6to4, so > >> that any misconfiguration issues could be limited to presumably > >> trusted staff and boxes. Unfortunately, reality has turned out > >> to be different, with host-based automatic tunnels becoming > >> popular. > > > > Thanks. I was rethinking this a bit after sending, and > > I may have been too premature in saying routers only > > and not hosts. > > > > What I would rather have said was that mechanisms such as > > SEcure Neighbor Discovery (SEND) may be helpful in private > > addressing domains where spoofing is possible. Let me know > > if this makes sense. > > Except for the practical problems involved in deploying SEND.
Can it be said that there is any appreciable operational experience with SEND yet? Are there implementations? > We still have an issue in unmanaged networks. By "unmanaged", how unmanaged do you mean? ISATAP is intended for networks where there is at least some modicum of cooperative management. We want that it can also be used in "loosly" managed networks where there is an overall mutual spirit of cooperation but where site-internal link-layer address spoofing may still be possible. Can SEND be used for that, or do we need something else in addition (e.g., a nonce with every message)? Thanks - Fred fred.l.temp...@boeing.com > Brian > -------------------------------------------------------------------- > IETF IPv6 working group mailing list > ipv6@ietf.org > Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6 > -------------------------------------------------------------------- -------------------------------------------------------------------- IETF IPv6 working group mailing list ipv6@ietf.org Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6 --------------------------------------------------------------------
