On Thu, 31 Oct 2002, Hesham Soliman (EAB) wrote: > > > => Forward them where?? I can't imagine BGP not filtering > > > SLs coming from the downstream customers. Regardless > > > of what the spec says. > > > > BGP is not the point. Consider e.g.: > > > > [attacker] --- [internet] ---- [ISP] --- [customer w/ site locals] > > > > Now the attacker can send packets with a fec0::/10 source > > address to the > > customer -- no one will block them unless they're > > explicitly configured as > > site borders -- before the customer itself. And if the > > customer does not > > block them, we're in for very serious trouble. > > => So you're talking about two misconfigured > sites and you didn't say, where is the attack ?
One misconfigured site, of the victim. ISP doesn't need to care about them, and Internet certainly doesn't. The attackers site wasn't explicitly configured to use site-locals (they probably even don't use them -- only globals), so it isn't blocked in their routers -- this is a feature of your interpretation of the addrarch. > Also even if this happens it's a one-way > communication because if the customer tries > to reply packets will go nowhere. If you have e.g. security hole in a protocol using UDP, one-way communication is more than enough to exploit it. -- Pekka Savola "Tell me of difficulties surmounted, Netcore Oy not those you stumble over and fall" Systems. Networks. Security. -- Robert Jordan: A Crown of Swords -------------------------------------------------------------------- IETF IPng Working Group Mailing List IPng Home Page: http://playground.sun.com/ipng FTP archive: ftp://playground.sun.com/pub/ipng Direct all administrative requests to [EMAIL PROTECTED] --------------------------------------------------------------------
