Erik Nordmark wrote:
>
> > I agree that the security issues here are great, and that there is a
need in
> > the Management world for this feature. If you could limit this to an
SNMP v3
> > secure function and not a IPv6 function then maybe we could work this
out
> > within the security concerns of
Tom Petch wrote:
> >
> > > I think that might be a reasonable middle ground. It would still make
it
> > > harder than in IPv4 to explore all hosts, yet one can have e.g. SNMP
> > > access to a local agent on the link that provide this (with
appropriate
> > > SNMP security) to allow remote managemen
Eric Klein wrote:
I agree that the security issues here are great, and that there is a need in
the Management world for this feature. If you could limit this to an SNMP v3
secure function and not a IPv6 function then maybe we could work this out
within the security concerns of all involved. But
Tom Petch
- Original Message -
From: "Eric Klein" <[EMAIL PROTECTED]>
To:
Sent: Wednesday, August 03, 2005 9:36 AM
Subject: Re: network/all-host discovery and flooding attacks.
> Erik Nordmark wrote:
>
> > I think that might be a reasonable middle gr
Erik Nordmark wrote:
> I think that might be a reasonable middle ground. It would still make it
> harder than in IPv4 to explore all hosts, yet one can have e.g. SNMP
> access to a local agent on the link that provide this (with appropriate
> SNMP security) to allow remote management.
>
> Elsewhe
In your previous mail you wrote:
It's important that the solution allows the tool to discover multiple
addresses used by a single node, i.e. the management view should show
a multiaddressed node (e.g. two globals and seven RFC3041 addresses on
one node) and not believe it's viewing mu
Hi Mohacsi, Greg,
On Tue, 2 Aug 2005 18:48:11 +0200 (CEST)
Mohacsi Janos <[EMAIL PROTECTED]> wrote:
>
>
>
>
> On Wed, 3 Aug 2005, Mark Smith wrote:
>
> > Hi Greg,
> >
> > On Wed, 03 Aug 2005 01:48:42 +1000
> > Greg Daley <[EMAIL PROTECTED]> wrote:
> >
> >> Hi,
> >>
> >
> >
> >
> >>
> >> At
On Tue, Aug 02, 2005 at 09:49:17AM -0700, Erik Nordmark wrote:
>
> That is the case if a remote node can do the discovery operation. But if
> the discovery operation is limited to nodes on the link, then we don't
> have the "remote" concern.
>
> I think that might be a reasonable middle ground.
I don't like multicast-based random discovery but about the security
it is why we have scoped multicast...
Regards
[EMAIL PROTECTED]
PS: I am in favor of as possible passive mechanisms, and in my IMHO
too active mechanisms won't get better result just because too many
devices will be configured
On Wed, 3 Aug 2005, Mark Smith wrote:
Hi Greg,
On Wed, 03 Aug 2005 01:48:42 +1000
Greg Daley <[EMAIL PROTECTED]> wrote:
Hi,
At the moment there's no security for MLD, but the risk is
limited to link-local addresses which are not vulnerable to
off-link attacks.
Until malware, del
Greg Daley wrote:
I'm concerned that if there is a way to find out all the
nodes on a link, that this information may be used
(by the querier, or another device) to cause remote flooding
attacks onto a network, or to particular otherwise unmodified
hosts.
That is the case if a remote node can
Hi Greg,
On Wed, 03 Aug 2005 01:48:42 +1000
Greg Daley <[EMAIL PROTECTED]> wrote:
> Hi,
>
>
> At the moment there's no security for MLD, but the risk is
> limited to link-local addresses which are not vulnerable to
> off-link attacks.
>
Until malware, delivered as an email payload or via
Hi,
I think there are some interesting discussions going on
in a different thread, but I thought I'd start a new thread
in order to talk about a contentious issue without polluting
the other.
Regarding draft-pashby-ipv6-network-discovery-00.txt,
this provides a mechanism for devices to be made
13 matches
Mail list logo