RE: Security considerations of the ICMPv6 draft

[Fernando Gont]

At 13:57 11/04/2005 -0500, [EMAIL PROTECTED] wrote:
I agree that we should add some words to raise awareness
about the ICMP-based attacks.  We could add the text that
Pekka suggested in the security consideration section and
provide an informative reference to your draft.
That'd be a good thing.

I don't think the ICMP draft should go in details of how
a transport protocol should protect itself against these
attacks.  I think, it will be a good idea to write separate
drafts for those details.
I didn't mean we should provide details on how transport protocols should 
react to ICMP errors. I just suggested that the ICMPv6 draft should 
recommend transport protocols to use the information contained in the 
payload to validate the ICMP messages (but don't say a word about the 
actual checks), and also that it would be great if it provided a few words 
about what the ICMP error types/codes mean.
If left "as is", people will extrapolate the RFC 1122 description to ICMPv6.
I just say that adding something like "these error codes do not necessarily 
indicate hard errors". That little sentence would mean the discussion of 
ICMP in RFC 1122 does not necessarily apply to ICMPv6.

BTW, (closely related to this thread), this was released yesterday:
* Cisco's vulnerability report
http://www.cisco.com/warp/public/707/cisco-sa-20050412-icmp.shtml
* CERT/CC's vulnerability report
http://www.kb.cert.org/vuls/id/222750
* NISCC's vulnerability report
http://www.niscc.gov.uk/niscc/docs/re-20050412-00303.pdf?lang=en
--
Fernando Gont
e-mail: [EMAIL PROTECTED] || [EMAIL PROTECTED]

--------------------------------------------------------------------
IETF IPv6 working group mailing list
ipv6@ietf.org
Administrative Requests: https://www1.ietf.org/mailman/listinfo/ipv6
--------------------------------------------------------------------