On Wed, 22 Jun 2011, RJ Atkinson wrote:
It absolutely is an implementation issue -- specifically it is a "quality of implementation" issue, not a complexity issue.
I feel that there should be guidance regarding this in the SAVI documentation, even if this is only a pointer to another document that describes how to parse an IPv6 packet.
Just the same way that it's "obvious" that anyone can spoof RAs on a flat L2 lan, it's "obvious" that fragmentation and headers can make parsing actual payload harder and needs to be handled. These two "obvious" have historically been overlooked numerous times.
Just the same way describing how to do SAVI L2.5 functionality to solve different security implications needs to be done to provide guidance to vendors, I also feel that they need to be helped to handle fragmentation attacks.
-- Mikael Abrahamsson email: swm...@swm.pp.se -------------------------------------------------------------------- IETF IPv6 working group mailing list ipv6@ietf.org Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6 --------------------------------------------------------------------
