Pekka Savola wrote: > On Thu, 10 May 2007, Jeroen Massar wrote: >> As such, when you are a transit provider, and you have on the edges of >> your network some vulnerable hosts, those hosts can be used to apply >> this attack to your network. >> >> The documentation should thus specify that, where possible, RH0 should >> be filtered at customer borders. > > Well, IMHO that's a bit unnecessary. > > If you see packet ping-pong on the Internet, it's an indication that > ingress and egress filters haven't been adequately set up. Adding those > will stop your network's bandwidth being wasted. > > Maybe this RH0 vulnerability will turn out for the good after all if it > means better BCP38/84 deployment :-)
Oops, forgot about that indeed. uRPF resolves that concern already :) I do also have it noted here that folks should do BCP38 properly: http://www.sixxs.net/faq/connectivity/?faq=filters As such, maybe include an extra reference and heavy lined note to BCP38? Also, maybe force vendors to enable BCP38 per default by making it a MUST? Greets, Jeroen
signature.asc
Description: OpenPGP digital signature
-------------------------------------------------------------------- IETF IPv6 working group mailing list [email protected] Administrative Requests: https://www1.ietf.org/mailman/listinfo/ipv6 --------------------------------------------------------------------
