>>>>> On Thu, 01 Feb 2001 23:06:31 -0800,
>>>>> "T.J. Kniveton" <[EMAIL PROTECTED]> said:
> However, RFC 2462 has stated that unless router advertisements are
> authenticated, any router advertisement trying to expire the prefix
> (which still has a few days, to most of a month, of validity left), will
> just lower it to two hours.
> Is it OK with everyone that a node that has been turned off for a while,
> could possibly be *unusable* on a network for two hours? We can not say
> that an admin will log into this machine and manually remove the prefix,
> or that router advertisements after a network renumber will be
> authenticated. Both of these make far too many assumptions.
In this case, we can reasonably assume that a new prefix (with positive
valid and preferred lifetimes) is being advertised. Thus, we have at
least one preferred address. Also, in the scenario above, the old
prefix is being advertised with zero lifetimes, the old address is
immediately deprecated (note that the "two hours" protection described
in RFC 2462 is not applied to preferred lifetime.) Consequently, we
would just use the (only) preferred address when we start a new
communication by the definition of the "deprecated" address, and would
not see any problems in a normal operation.
> Aside from whether this is "OK," there is inconsistency between these
> drafts. 2461 does not seem to account for the DoS attack which 2462 is
> trying to avoid.
No, we don't care about zero-lifetime attack in prefix (i.e on-link)
manipulation, which RFC 2461 describes. We only care about the attack
that attemps to make a victim's *address* invalid.
Note that we can still send packets to default routers even if we
don't have any known on-link prefixes, while we can't make any
off-link communications if all the global addresses are invalidated.
Of course, you could say that this policy is "wrong", but at least the
two policies are not inconsistent.
JINMEI, Tatuya
Communication Platform Lab.
Corporate R&D Center, Toshiba Corp.
[EMAIL PROTECTED]
--------------------------------------------------------------------
IETF IPng Working Group Mailing List
IPng Home Page: http://playground.sun.com/ipng
FTP archive: ftp://playground.sun.com/pub/ipng
Direct all administrative requests to [EMAIL PROTECTED]
--------------------------------------------------------------------
