On 03/15/2013 04:50 PM, Brian Haberman wrote: > On 3/15/13 3:31 PM, Fernando Gont wrote: >> Hi, Suresh, >> >> Thanks so much for your comments! -- Please see inline... >> >> On 03/15/2013 01:30 PM, Suresh Krishnan wrote: >>> Hi Fernando, >>> While I am supportive of getting rid of ICMPv6 responses for 10xxxxxx >>> options, I am not at all sure about how probable this attack is. My >>> understanding is that for this attack to work, the following two >>> conditions need to be met. >>> >>> a) Ingress filtering MUST NOT be enabled on the attacker side >>> b) multicast RPF on the path MUST NOT catch the packet and throw it away >>> >>> Is my understanding correct? >> >> Yes, it's correct. >> >> However, as noted on the "Next steps with >> draft-ong-t6man-preditable-fragment-id", one usually cannot rely on such >> filtering. That's mostly why e.g. reflection attacks are still an issue. > > You cannot rely on a) occurring, but b) is done by all multicast routers > for loop prevention.
I don't know *all* of multicast routers, but in any case, Section 1 of the document states: " It should be noted that if the multicast RPF check is used (e.g. to prevent routing loops), this would prevent an attacker from forging the Source Address of a packet to an arbitrary value, thus preventing an attacker from launching this attack against a remote network. Chapter 5 of [Juniper2010] discusses multicast RPF configuration for Juniper routers." Thanks! Cheers, -- Fernando Gont SI6 Networks e-mail: fg...@si6networks.com PGP Fingerprint: 6666 31C6 D484 63B2 8FB1 E3C4 AE25 0D55 1D4E 7492 -------------------------------------------------------------------- IETF IPv6 working group mailing list ipv6@ietf.org Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6 --------------------------------------------------------------------