On Wed, 19 Dec 2001, Tony Hain wrote: > Pekka Savola wrote: > > All that is true, but nowhere it is said that decapsulating the packet > > from IPv4 (or IPv6) should be interpreted as "forwarding". > > The group keeps responding to you that the tunnel is an interface > separate from the physical one it is encapsulated in, but that doesn't > seem to stick. If you will accept that the tunnel is an independent > interface and treat it as such, all the rules will start to make sense, > and your continuous complaint about tunnel security will be resolved > through the existing rules. If you can show that a node which follows > the rules is insecure that would be helpful, but continuing to rehash > tunneling as a security hole is not.
Please note that this is not an issue about forwarding packets with link-local addresses to local LAN or anything. This is about an attack against the tunnel interface itself. Undeniably, you can input packets with: - link-local source (here: ff80::1) - link-local destination (here: ff80::2) - hop limit 255 in the tunnel interface. They cannot be FORWARDED off the node though. Now, if the router has 'ff80::2' configured as one of it's pseudo-interface addresses, that address can be reached via tunneling with hop limit 255 from anywhere. See the potential problem here? -- Pekka Savola "Tell me of difficulties surmounted, Netcore Oy not those you stumble over and fall" Systems. Networks. Security. -- Robert Jordan: A Crown of Swords -------------------------------------------------------------------- IETF IPng Working Group Mailing List IPng Home Page: http://playground.sun.com/ipng FTP archive: ftp://playground.sun.com/pub/ipng Direct all administrative requests to [EMAIL PROTECTED] --------------------------------------------------------------------
