In your previous mail you wrote: After giving this some thought, I think RFC 2460 should be revised to incorporate some security precautions.
=> I agree but this should not be in RFC 2460 (which is a draft standard i.e. not so easy to change BTW). I suggest two separate restrictions on Routing Header processing. 1. When processing a Routing Header, hosts should only forward the packet to another node via the same interface by which it arrived. => this rule is the RFC 1122 local forwarding rule. I proposed something a bit more strict (forbid forwarding)... I don't know if you really open a security hole (I don't believe this is the case), my proposal has the advantage (?) that the host definition (never forward) is still valid for source routes. Any opinion/good argument? 2. When processing a Routing Header, nodes should compare the scope of the current and new destination addresses and only forward the packet if the new destination address has scope equal or greater than the old destination scope. => I agree (note the destination can't reply because its address has not enough scope). Regards [EMAIL PROTECTED] -------------------------------------------------------------------- IETF IPng Working Group Mailing List IPng Home Page: http://playground.sun.com/ipng FTP archive: ftp://playground.sun.com/pub/ipng Direct all administrative requests to [EMAIL PROTECTED] --------------------------------------------------------------------
