Richard Draves wrote:
[attacker] --- [internet] ---- [ISP] --- [customer w/ site locals]
Now the attacker can send packets with a fec0::/10 source address to the customer -- no one will block them unless they're explicitly configured as site borders -- before the customer itself. And if the customer does not block them, we're in for very serious trouble.
That seemed to be what everyone except me read the ADDRARCH paragraph to imply. I thought attackers first-hop router (or at the latest, attackers edge router) should block these packets automatically.
No. At least I read ADDRARCH as meaning that the routers between the attacker and the customer would all be configured (one way or another - either manually or because it's their default configuration) as site boundaries, meaning they would filter the site-local packets.
Or if you follow Tony's model, each IGP/EGP boundary would filter them. Brian -------------------------------------------------------------------- IETF IPng Working Group Mailing List IPng Home Page: http://playground.sun.com/ipng FTP archive: ftp://playground.sun.com/pub/ipng Direct all administrative requests to [EMAIL PROTECTED] --------------------------------------------------------------------
