In your letter dated Sun, 17 Jul 2011 21:53:20 +0930 you wrote: >I think the ultimate root cause is that the creation of neighbor cache >entries is triggered by data plane traffic, rather than created by a >control plane protocol i.e. a neighbor registration protocol. I think >that means that what ever mitigations are put in place, they'll likely >always be fundamentally vulnerable to data plane traffic attacks.
I don't think that is true. But that is for later. >If changing the way ND NS/NAs work is an option, then it might be >better to adopt or use as a model the 6lowpan neighbor registration >protocols, or perhaps review the ES-IS protocol as a model. That is >obviously a large and wholesale change, however I think it would be the >only way to truly eliminate any data plane traffic attacks on neighbor >resolution. I think we should just put the various design options on the table. See how they work, how many changes they require etc. But before that, the question now on the table is whether v6ops wants to spend more time figuring out what can be done with the current standards and/or what guidance they can give for new options. -------------------------------------------------------------------- IETF IPv6 working group mailing list ipv6@ietf.org Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6 --------------------------------------------------------------------
