Brian Haberman wrote: [..] >> The sentence could be modified in : >> >> "Compliant IPv6 hosts and routers MUST NOT process RH0 in packets >> addressed to them. Those packets MUST be dropped without further >> processing. In particular, the value of the Segments Left field >> MUST not be considered." >> > > This is much clearer and easier to implement.
It is indeed. But there is a big BUT. Existing code is already deployed. When these installations don't get updated to fix this problem they remain vulnerable and can be used for this attack, as such packet-ping-ponging between the vulnerable hosts. As such, when you are a transit provider, and you have on the edges of your network some vulnerable hosts, those hosts can be used to apply this attack to your network. The documentation should thus specify that, where possible, RH0 should be filtered at customer borders. (And there should thus be a harakiri-penalty for folks who do not upgrade their nodes imho...) of course that can also be solved by publicly shaming those people and more direct: disconnecting them till they fix their networks. Greets, Jeroen
signature.asc
Description: OpenPGP digital signature
-------------------------------------------------------------------- IETF IPv6 working group mailing list [email protected] Administrative Requests: https://www1.ietf.org/mailman/listinfo/ipv6 --------------------------------------------------------------------
