On Jun 23, 2011, at 6:08 PM, Philip Homburg wrote: > Ideally, clients use end-to-end crypto to keep themselves secure, but the > network still has to be protected against denial of service attacks.
No, strictly speaking the *clients* need to be protected against DoS attacks. One way to do this is to strongly control multicast on the network. But the network itself cannot suffer from rogue RA advertisements: it is other clients on the network that suffer. I realize that this seems like a trivial distinction, but I think it's important to be clear about it, because it's not always a safe assumption that any given network will be protected, and hence if we really care about DoS attacks as a general problem, we need to address the problem in a way that will work not just on hub-and-spoke networks, but on broadcast networks as well. -------------------------------------------------------------------- IETF IPv6 working group mailing list ipv6@ietf.org Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6 --------------------------------------------------------------------