On Wed, 10 Mar 2004, Jeroen Massar wrote: > > On Mon, 8 Mar 2004, Jyrki Soini wrote: > > >The consequence is that the original Echo Request packet gets 100 000 > > >000 unicast Echo Reply messages back. > > > > I do not see anything wrong with this scenario. If I send an ICMP > > Echo Request to 100M nodes I MUST expect a Echo reply from 100M > > nodes. How about if I sent a DATA packet, which requires an ACK, > > to the group by mistake? > > I guess that Jyrki's thoughts where more along the lines of: > "What if I send a simple ICMPv6 Echo Request with *your* source address".
Note that when you send to a multicast address, your source address is checked to be RPF-wise correct, otherwise it's dropped in the multicast forwarding. So, I don't think spoofing is that feasible a scenario in "multicast ping". If we disallow ICMP Echo Request, what about other services (TCP/UDP) that may be listening at the receiver systems? Those could be likewise affected -- TCP SYN/ACK, or a UDP response packet could have tremendous effect on the network as well. Inevitably, we'll seem to be reaching to a conclusion that we cannot avoid this at the specification level -- but the solution lies at the concerned parties in the form of filtering. Note that this problem does not (really) exist if SSM is used, and this is easily prevented if draft-ietf-mboned-embeddedrp-02.txt is used (which are the only two reasonable options), as you can put in filters in your RP configuration, preventing anyone (except specific sources) from sending packets to the members of the group. -- Pekka Savola "You each name yourselves king, yet the Netcore Oy kingdom bleeds." Systems. Networks. Security. -- George R.R. Martin: A Clash of Kings -------------------------------------------------------------------- IETF IPv6 working group mailing list [EMAIL PROTECTED] Administrative Requests: https://www1.ietf.org/mailman/listinfo/ipv6 --------------------------------------------------------------------
