On Sat, 8 Mar 2003, Tim Chown wrote: > On Sat, Mar 08, 2003 at 06:45:15PM +0200, Pekka Savola wrote: > > > > No comments from the w.g. except by me and the author. > > > > RA-piggybacking has a few different nuances, and I'm not sure if I think > > the one proposed is necessarily the best one, but it's the one group of > > solutions I'd probably follow up if I wanted to achieve something. > > I'd like to see it kept on the table. I appreciate it has security issues, > but then all the tabled methods do too?
Actually, the security properties of RA-piggybacking solutions are roughly on the same level as with DHCP and friends, not to mention general connectivity. The only attack model with RA-piggybacking that might make sense is to inject a spoofed RA containing your rogue DNS servers instead of hijacking all the connectivity. This might be more difficult to notice than all net access being man-in-the-middle -attacked on the link by a node. But then again, the above case hasn't been mentioned in any analysis I recall (just made it up), so it's difficult to say. I certainly don't feel there are a lot of issues with security in RA-based DNS discovery. -- Pekka Savola "You each name yourselves king, yet the Netcore Oy kingdom bleeds." Systems. Networks. Security. -- George R.R. Martin: A Clash of Kings -------------------------------------------------------------------- IETF IPng Working Group Mailing List IPng Home Page: http://playground.sun.com/ipng FTP archive: ftp://playground.sun.com/pub/ipng Direct all administrative requests to [EMAIL PROTECTED] --------------------------------------------------------------------
