On 3/15/13 3:31 PM, Fernando Gont wrote:
Hi, Suresh,
Thanks so much for your comments! -- Please see inline...
On 03/15/2013 01:30 PM, Suresh Krishnan wrote:
Hi Fernando,
While I am supportive of getting rid of ICMPv6 responses for 10xxxxxx
options, I am not at all sure about how probable this attack is. My
understanding is that for this attack to work, the following two
conditions need to be met.
a) Ingress filtering MUST NOT be enabled on the attacker side
b) multicast RPF on the path MUST NOT catch the packet and throw it away
Is my understanding correct?
Yes, it's correct.
However, as noted on the "Next steps with
draft-ong-t6man-preditable-fragment-id", one usually cannot rely on such
filtering. That's mostly why e.g. reflection attacks are still an issue.
You cannot rely on a) occurring, but b) is done by all multicast routers
for loop prevention.
Brian
--------------------------------------------------------------------
IETF IPv6 working group mailing list
ipv6@ietf.org
Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6
--------------------------------------------------------------------
