Hi James, sorry it's taken me a while to get back to you on this. On 2005-05-26, James Kempf wrote: > > In this case, the ability to use "Optimistic" greatly reduces handover > latency, and there doesn't seem to be an issue with routing through the > router because the RA provides the link address. > > Do you see any issues with this that I might have missed?
Nope, that's pretty much exactly the case that OptiDAD was designed for. > > Likewise, an Optimistic node can still inject IP packets into the > > Internet that will in effect be "spoofed" packets appearing to come > > from the legitimate node. In some cases, those packets may lead to > > errors or other operational problems, though one would expect that > > upper layer protocols would generally treat such packets robustly, > > in the same way they must treat old and other duplicate packets. > > It is true that an Optimistic attacker can do this, but, really, can't any > IPv6 node do it? An attacking node doesn't have to do DAD, it could simply > come on the link and start sending packets to the Internet with whatever > address it wants. It might not get anything back, of course, since any > response will get sent to the legitimate owner of the address. Yeah, there's an assumption that "good" nodes greatly outnumber "evil" nodes, so the potential harm from "good" nodes occasionally spoofing packets is much more than the everpresent potential evil. Optimistic Nodes won't 'steal' traffic ... they don't get into the router's NC, so the router never misdirects traffic to them. They can send out packets from an address being used by an existing node, and (in the case of a MIPv6 Binding Update, for example) this can cause great wads of traffic to arrive at the existing node, but there's pretty good odds that those packets will just get dropped at their destination anyway. And the existing node is obliged to correct the optimistic node's error within 1000ms anyway. This is where the statistical argument comes in. Address collision (very unlikely) multiplied by the probability of an accidentally spoofed packet actually upsetting anything (very unlikely) equals ... -----Nick -------------------------------------------------------------------- IETF IPv6 working group mailing list [email protected] Administrative Requests: https://www1.ietf.org/mailman/listinfo/ipv6 --------------------------------------------------------------------
