On Fri, 1 Nov 2002, JINMEI Tatuya / [ISO-2022-JP] 神明達哉 wrote: > >> > Now the attacker can send packets with a fec0::/10 source > >> > address to the customer -- no one will block them unless > >> > they're explicitly configured as site borders -- before the > >> > customer itself. And if the customer does not block them, > >> > we're in for very serious trouble. > >> > > >> > That seemed to be what everyone except me read the ADDRARCH > >> > paragraph to imply. I thought attackers first-hop router (or > >> > at the latest, attackers edge router) should block these > >> > packets automatically. > >> > >> No. At least I read ADDRARCH as meaning that the routers between the > >> attacker and the customer would all be configured (one way or another - > >> either manually or because it's their default configuration) as site > >> boundaries, meaning they would filter the site-local packets. > > > This reading of ADDRARCH seems to be in conflict with what you said > > earlier: > > I don't think so. Rich said "either manually or because it's their > default configuration", which perfectly coincides with what he said > before. > > The difference seems to me that you're saying that such an assumption > is naive and Rich doesn't think so. IMO, this is a difference in > philosophy and either side has some valid points. So I don't think we > can reach some consensus by further discussion, at least within this > thread.
Ok, I can agree to that. -- Pekka Savola "Tell me of difficulties surmounted, Netcore Oy not those you stumble over and fall" Systems. Networks. Security. -- Robert Jordan: A Crown of Swords -------------------------------------------------------------------- IETF IPng Working Group Mailing List IPng Home Page: http://playground.sun.com/ipng FTP archive: ftp://playground.sun.com/pub/ipng Direct all administrative requests to [EMAIL PROTECTED] --------------------------------------------------------------------
