On 03/15/2013 04:50 PM, Brian Haberman wrote:
> On 3/15/13 3:31 PM, Fernando Gont wrote:
>> Hi, Suresh,
>>
>> Thanks so much for your comments! -- Please see inline...
>>
>> On 03/15/2013 01:30 PM, Suresh Krishnan wrote:
>>> Hi Fernando,
>>> While I am supportive of getting rid of ICMPv6 responses for 10xxxxxx
>>> options, I am not at all sure about how probable this attack is. My
>>> understanding is that for this attack to work, the following two
>>> conditions need to be met.
>>>
>>> a) Ingress filtering MUST NOT be enabled on the attacker side
>>> b) multicast RPF on the path MUST NOT catch the packet and throw it away
>>>
>>> Is my understanding correct?
>>
>> Yes, it's correct.
>>
>> However, as noted on the "Next steps with
>> draft-ong-t6man-preditable-fragment-id", one usually cannot rely on such
>> filtering. That's mostly why e.g. reflection attacks are still an issue.
>
> You cannot rely on a) occurring, but b) is done by all multicast routers
> for loop prevention.
I don't know *all* of multicast routers, but in any case, Section 1 of
the document states:
" It should be noted that if the multicast RPF check is used (e.g.
to prevent routing loops), this would prevent an attacker from
forging the Source Address of a packet to an arbitrary value, thus
preventing an attacker from launching this attack against a remote
network.
Chapter 5 of [Juniper2010] discusses multicast RPF configuration
for Juniper routers."
Thanks!
Cheers,
--
Fernando Gont
SI6 Networks
e-mail: fg...@si6networks.com
PGP Fingerprint: 6666 31C6 D484 63B2 8FB1 E3C4 AE25 0D55 1D4E 7492
--------------------------------------------------------------------
IETF IPv6 working group mailing list
ipv6@ietf.org
Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6
--------------------------------------------------------------------
