Hi
On 9/4/2013 4:28 AM, Ole Troan wrote:
Fernando,
would that be other nodes than yourself and nodes on the same link
as yourself?
I guess in some scenarios it might be tricky.
For instance, even with link-local only multicast (as that used for
ND), you can send a packet to a link-local multiast address, but
sourced from any global address. Hence you can have your own network
be an amplifier to attack a third party.
yes, but there are many other ways of doing that, and e.g. ping ff02::1 with
victims source address
would be a lot more effective.
Not to mention that if you're employing e.g. an openvpn Ethernet
bridge, it becomes fuzzy what's your local link (i.e. real links vs.
"virtual" link).
a virtual link is as good as any other in this context.
IMO, this is the kind of feature that's "asking for trouble". IMHO,
let's fix it, and move on.
I for one would like to see attack vectors outside the local link before
supporting adopting this document.
That is also my opinion. It seems to me that we are not really removing
any attack vector by making this change. As Ole mentioned, there are
other easy ways of doing the same attack from your own network. Also, I
view that as less serious since it can easily be tracked.
Stig
cheers,
Ole
--------------------------------------------------------------------
IETF IPv6 working group mailing list
ipv6@ietf.org
Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6
--------------------------------------------------------------------
