> > > Likewise, an Optimistic node can still inject IP packets into the
> > > Internet that will in effect be "spoofed" packets appearing to come
> > > from the legitimate node. In some cases, those packets may lead to
> > > errors or other operational problems, though one would expect that
> > > upper layer protocols would generally treat such packets robustly,
> > > in the same way they must treat old and other duplicate packets.
> > >
>
> > It is true that an Optimistic attacker can do this, but, really, can't
any
> > IPv6 node do it? An attacking node doesn't have to do DAD, it could
simply
> > come on the link and start sending packets to the Internet with whatever
> > address it wants. It might not get anything back, of course, since any
> > response will get sent to the legitimate owner of the address.
>
> I think the key difference is that nodes running optimistic DAD may
> end up spoofing traffic, even though they are following the spec and
> are "good" nodes. I.e, there is no ill-intent, as is the case with
> attacking nodes.
>
> So we may end up seeing such events even in cases where there are no
> "attackers".
>
Yes, that makes sense. oDAD is really depending on the low probability of a
clash. If the node is out of luck, it will of course look like spoofed
traffic. Might make sense to add something like that, maybe:
Optimistic DAD assumes a low probability of an address clash.
If this assumption fails, an Optimistic node can still inject IP
packets into the Internet ...
jak
--------------------------------------------------------------------
IETF IPv6 working group mailing list
[email protected]
Administrative Requests: https://www1.ietf.org/mailman/listinfo/ipv6
--------------------------------------------------------------------
