On Thu, 31 Oct 2002, Richard Draves wrote: > > [attacker] --- [internet] ---- [ISP] --- [customer w/ site locals] > > > > Now the attacker can send packets with a fec0::/10 source > > address to the customer -- no one will block them unless > > they're explicitly configured as site borders -- before the > > customer itself. And if the customer does not block them, > > we're in for very serious trouble. > > > > That seemed to be what everyone except me read the ADDRARCH > > paragraph to imply. I thought attackers first-hop router (or > > at the latest, attackers edge router) should block these > > packets automatically. > > No. At least I read ADDRARCH as meaning that the routers between the > attacker and the customer would all be configured (one way or another - > either manually or because it's their default configuration) as site > boundaries, meaning they would filter the site-local packets.
This reading of ADDRARCH seems to be in conflict with what you said earlier: --8<-- > [me:] > Some read it (many): > > "if I configure a site here, I must also block site-locals > from spreading > out or false site-locals coming in" > > Some others read it: > > "if I use site-locals here, my upstream router will block > the site-local > addresses from spreading out and prevent anyone from spoofing > site-locals > to my site" > > The latter is how I read it must be implemented -- and > reading Microsoft's implementation and the reason they're > using SL *strongly* suggests they > also have read it that way. There are very probably many others. [Rich:] No, I think you're the only person reading it the latter way. My expectation is that routers will need to be configured to understand site boundaries. A conservative position is that routers by default should regard their interfaces as belonging to different sites, unless they are configured to be in the same site. Or perhaps other aspects of the router's configuration (eg the network prefixes assigned to different interfaces, or the routing protocols in use) could be used to default the site configuration. --8<-- You're making an assumption that folks who don't care about site-locals at all somehow block them. That's much closer to how I read it than the first way, I believe. -- Pekka Savola "Tell me of difficulties surmounted, Netcore Oy not those you stumble over and fall" Systems. Networks. Security. -- Robert Jordan: A Crown of Swords -------------------------------------------------------------------- IETF IPng Working Group Mailing List IPng Home Page: http://playground.sun.com/ipng FTP archive: ftp://playground.sun.com/pub/ipng Direct all administrative requests to [EMAIL PROTECTED] --------------------------------------------------------------------
