On 06/22/2011 05:04 PM, Fred Baker wrote: >> From my perspective, the issue with the RA-Guard evasion draft >> isn't that the faults are possible or that they are described; it's >> that the description is specific to RA-Guard. In point of fact, >> these kinds of attacks are true for any kind of firewall or other >> middleware that has the notion of identifying a specific non-IP >> packet and selectively do something to it.
There some specific considerations for RA-Guard: * RA-Guard has been specified, whereas firewall behaviour hasn't. * Many networks employ DHCPv4-guard and/or arp-monitoring, and probably expect to be able to do the same thing with IPv6 -- but these evasion techniques apply only to the v6 case * RA-Guard is implemented in layer-2 devices, where fragment reassembly would be too onerous. >> to eliminate pornography, Al-Queda literature, or dog racing should >> be advised that overcoming that is as simple as https or obscure >> fragmentation that splits a "GET" at a difficult place. Parsing the app stream was already difficult with v4. Not being able to even find the upper-layer header is new with v6. Thanks, -- Fernando Gont e-mail: ferna...@gont.com.ar || fg...@acm.org PGP Fingerprint: 7809 84F5 322E 45C7 F1C9 3945 96EE A9EF D076 FFF1 -------------------------------------------------------------------- IETF IPv6 working group mailing list ipv6@ietf.org Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6 --------------------------------------------------------------------