On Thu, 17 Nov 2005, Vishwas Manral wrote:
By setting the Hop Limit to 255, Neighbor Discovery is immune to
off-link senders that accidentally or intentionally send ND messages.
However if we send a basic ND message in IP-in-IP tunneled packet and
send the packet across, we can easily send ND messages off-link. A
solution I can think of is that by default we SHOULD NOT allow ND
packets inside tunneled packets unless explicitly configured to do so.
Am I missing the point?
How would those tunnel packets be decapsulated? They're part of a
tunnel (be it a 6to4 tunnel, IPv6-in-IPv6 point-to-poin tunnel, etc.).
If they're part of the tunnel, they must be processed (because you
should be able to run neighbor discovery on top of such tunnels). If
the host has no matching tunnel, the packet needs to be discarded.
It's up to the tunneling mechanism to do appropriate verifications if
necessary. See RFC3964 section 4.1.1 and 4.2.1 for examples.
--
Pekka Savola "You each name yourselves king, yet the
Netcore Oy kingdom bleeds."
Systems. Networks. Security. -- George R.R. Martin: A Clash of Kings
--------------------------------------------------------------------
IETF IPv6 working group mailing list
[email protected]
Administrative Requests: https://www1.ietf.org/mailman/listinfo/ipv6
--------------------------------------------------------------------
