Vlad, All that is true, but nowhere it is said that decapsulating the packet from IPv4 (or IPv6) should be interpreted as "forwarding".
On Wed, 19 Dec 2001, Vladislav Yasevich wrote: > For autotunnel, see RFC 2893, Section 5.6. Here is an excerpt: > > > Since automatic tunnels always > > encapsulate to the destination (i.e. the IPv4 destination will be > > the destination) any packet received over an automatic tunnel SHOULD > > NOT be forwarded. > > Also, addr-arch-v3 states: > > > Routers must not forward any packets with link-local source or > > destination addresses to other links. > > and > > > Routers must not forward any multicast packets beyond of the scope > > indicated by the scop field in the destination multicast address. > > -vlad > > > Pekka Savola wrote: > > > > On Wed, 19 Dec 2001, Vladislav Yasevich wrote: > > > I don't think link-local attack can be carried out through automatic tunnels > > > (not to mention that they will fail the address checks). > > > > > > After decapsulation, the packet is submitted for further input processing > > > to look at the innner header. At this point, the source or destination > > > (or both) are link local and the packet must to be forwarded off the link > > > (the link in this case is the tunnel). So in effect you are attacking > > > the decapsulator (a router in most cases). > > > > Are you sure about this? > > > > I don't think so. > > > > Automatic tunneling is equivalent to configured tunneling. Link-local > > addresses can be used in manual tunnels. AFAICS, automatic tunneling is > > not really any different, except that source IPv4 address can be anything > > at all. > > > > -- > > Pekka Savola "Tell me of difficulties surmounted, > > Netcore Oy not those you stumble over and fall" > > Systems. Networks. Security. -- Robert Jordan: A Crown of Swords > > > > -------------------------------------------------------------------- > > IETF IPng Working Group Mailing List > > IPng Home Page: http://playground.sun.com/ipng > > FTP archive: ftp://playground.sun.com/pub/ipng > > Direct all administrative requests to [EMAIL PROTECTED] > > -------------------------------------------------------------------- > > -- Pekka Savola "Tell me of difficulties surmounted, Netcore Oy not those you stumble over and fall" Systems. Networks. Security. -- Robert Jordan: A Crown of Swords -------------------------------------------------------------------- IETF IPng Working Group Mailing List IPng Home Page: http://playground.sun.com/ipng FTP archive: ftp://playground.sun.com/pub/ipng Direct all administrative requests to [EMAIL PROTECTED] --------------------------------------------------------------------
