Gabi and Christian,
Focusing only on attack #3 (i.e., leaving out attack #1
and #2 6to4 interactions for the moment), please check
the following summary of proposed mitigations:
1) For ISATAP/VET routers that have assurance that their
neighbor cache is coherent, the router can make a simple
check
Hi Christian,
Thanks for your comments.
The checks you suggested are powerful and will indeed mitigate the attacks. The
only thing that worries me is the fact that usually AFAIK the ISATAP router is
not configured with the IPv4 subnet addresses of the site. This means that the
router must now
picking up an old thread.
[...]
> - DHCP and stateless autoconf. This document is probably not the
> right place to discuss the M&O bits, but IMO this document should
> say more about DHCP vs. stateless and the issues surrounding when
> to implement one or the other. Not to mandate them. A
Fred,
- Original Message
> From: "Templin, Fred L"
> To: Gabi Nakibly ; v6ops
> Cc: ipv6@ietf.org; sec...@ietf.org
> Sent: Friday, September 4, 2009 10:00:53 PM
> Subject: RE: Routing loop attacks using IPv6 tunnels
>
> Gabi,
>
> I'd like to make one other observation about these ch
Fred,
Se below.
Gabi
- Original Message
> From: "Templin, Fred L"
> To: Gabi Nakibly ; v6ops
> Cc: ipv6@ietf.org; sec...@ietf.org
> Sent: Thursday, September 3, 2009 5:59:36 PM
> Subject: RE: Routing loop attacks using IPv6 tunnels
>
> Gabi,
>
> > -Original Message-
> > From: