On Sep 13, 2006, at 9:23 AM, Jun Bi wrote:
Yes, I believe SAVA will have muilti-fence solution, to prevent source address spoofing in different grannality.
I should think that the simplest model would be based on neighbor discovery. When ND discovers that someone is a neighbor, it also has the option of determining whether they act as a router; if they do not, then the only addresses they should be using on a given interface are the address used in neighbor discovery on the interface, which is a very tight coupling between a MAC address and an IPv6 address. You can add other fences, but if the first hop router applies this rule, then you should cover a huge percentage of your cases.
Note that this does not imply a problem with privacy addresses or changing addresses - a system can be a neighbor to the router as many times as it likes. But no device needs to accept a packet from someone with whom they are not a neighbor (apart from ND), and in the case of traffic on a LAN that includes rejecting packets whose source IP address doesn't match their source MAC address.
This differs, of course, in the case that the neighbor in any sense forwards packets from another system (per RFC 2460, is a router). In that case, forwarded traffic will have differing source addresses.
_______________________________________________ Int-area mailing list [email protected] https://www1.ietf.org/mailman/listinfo/int-area
