Hi, A little mail for a nice Monday morning discussion/flamebait:
I became to realize that RH0 filtering is at all not really necessary. Networks who have uRPF enabled, they check the source of the packet and as such the packet pingpong doesn't work, yes the packet arrives, but when the packet has to be sent out onto the network again, it gets caught by the uRPF filter. Networks who do not have uRPF enabled and thus are not properly checking where a packet is actually being sourced from are open to the RH0 attack. As such, any network which does not have uRPF enabled is vulnerable to some nice RH0 packet ping ponging. Now, what we should hope is that people actually do NOT filter out RH0 and then send out a lot of packets with RH0 headers ping ponging throughout the Internet. This will take care that the networks who are not properly applying uRPF will in effect nicely melt down. Maybe that brings to their attention that doing uRPF is actually a good thing as is being specified in BCP38 (BCP stands for Best Common Practices, but clearly a lot of networks don't take it in common). Greets, Jeroen
signature.asc
Description: OpenPGP digital signature
-------------------------------------------------------------------- IETF IPv6 working group mailing list [email protected] Administrative Requests: https://www1.ietf.org/mailman/listinfo/ipv6 --------------------------------------------------------------------
