In your letter dated Tue, 12 Jul 2011 23:56:38 +0000 you wrote: >Then I am really not worried. This kind of attack is trivially mitigated by= > any stateful firewall on the path.
If a stateful firewall is mandatory for the operation of IPv6 then it should be there in the specs. Last time I looked, there was no standards track RFC that made stateful firewall mandatory. I could be wrong though. I'm not aware of any system today that in the presence of just SLAAC can figure out where the stateful firewall is hiding in the network and how to get it to open the port you need automatically (i.e. whenever a host allocate a passive socket). If you want to go that route, then IMHO, there is a huge amount of work to be done. Certainly to get it to work transparently for every possible protocol that runs on top of IPv6. Otherwise, it may be more productive to see a stateful firewall as an optional extra and fix the protocols to be safe even in the absence of such a device. -------------------------------------------------------------------- IETF IPv6 working group mailing list ipv6@ietf.org Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6 --------------------------------------------------------------------