Fred Baker wrote: > On Sep 13, 2006, at 9:23 AM, Jun Bi wrote: > > > Yes, I believe SAVA will have muilti-fence solution, to prevent > > source address spoofing in different grannality. > > I should think that the simplest model would be based on neighbor > discovery. When ND discovers that someone is a neighbor, it also has > the option of determining whether they act as a router; if they do > not, then the only addresses they should be using on a given > interface are the address used in neighbor discovery on the > interface, which is a very tight coupling between a MAC address and > an IPv6 address. You can add other fences, but if the first hop > router applies this rule, then you should cover a huge percentage of > your cases.
Note that there is no requirement today that a receiver (or router) have a neighbor entry for a neighbor from which it receives packets, only that it have one for a neighbor to which it sends packets. So this would require a significant change in the receive model, not just a change in the ND model so that you could learn whether the neighbor is a router. -Dave > Note that this does not imply a problem with privacy addresses or > changing addresses - a system can be a neighbor to the router as many > times as it likes. But no device needs to accept a packet from > someone with whom they are not a neighbor (apart from ND), and in the > case of traffic on a LAN that includes rejecting packets whose source > IP address doesn't match their source MAC address. > > This differs, of course, in the case that the neighbor in any sense > forwards packets from another system (per RFC 2460, is a router). In > that case, forwarded traffic will have differing source addresses. > > _______________________________________________ > Int-area mailing list > [email protected] > https://www1.ietf.org/mailman/listinfo/int-area _______________________________________________ Int-area mailing list [email protected] https://www1.ietf.org/mailman/listinfo/int-area
