On Jun 22, 2011, at 4:15 AM, Mikael Abrahamsson wrote: > Just the same way that it's "obvious" that anyone can spoof RAs on a flat L2 > lan, it's "obvious" that fragmentation and headers can make parsing actual > payload harder and needs to be handled. These two "obvious" have historically > been overlooked numerous times.
>From my perspective, the issue with the RA-Guard evasion draft isn't that the >faults are possible or that they are described; it's that the description is >specific to RA-Guard. In point of fact, these kinds of attacks are true for >any kind of firewall or other middleware that has the notion of identifying a >specific non-IP packet and selectively do something to it. I personally think >the right way to approach this is to describe the attack and note, in a >footnote somewhere, that one of the ten thousand special cases it applies to >is RA Guard. Another one that it applies to is any case of deep packet >inspection, a specific special case of that being Cleanfeed - anyone that >thinks they can use deep packet inspection to eliminate pornography, Al-Queda >literature, or dog racing should be advised that overcoming that is as simple >as https or obscure fragmentation that splits a "GET" at a difficult place. -------------------------------------------------------------------- IETF IPv6 working group mailing list ipv6@ietf.org Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6 --------------------------------------------------------------------