i agree with jinmei 90%, but i would like to make a single comment:
> This attack is particularly serious in that it affects the entire
> path between the two exploited nodes, not only the nodes themselves
> or their local networks. The same attack can be performed using
> the IPv4 source route option, but the attack is much severer for
> IPv6 because RH0 can contain a much more waypoints, which increase
> the amplification factor. Ingress filtering [RFC2827] [RFC3704]
> can mitigate the attack, but it is not widely deployed yet and is
> not expected to be deployed soon.
i disagree with "Ingress filtering can mitigate the attack" comment.
while an attacker may not be able to spoof its source address if
the attacker is in a network with ingress filtering, it is untrue that
ingress filtering gives real protection against rthdr0 attacks.
i'm writing it with an assumption that nodes would perform ingress
filtering against packets with source-routing header properly - yup,
they CANNOT perform ingress filtering due to the existence and the
nature of the source-routing. it is natural for source-routed packets
to have its source address which seems strange for normal ingress
filtering. if nodes were to filter out source-routed packets based
on ingress filtering, those implementations are mistaken!
anyways, with the deprecation of rthdr0, "correctness" of ingress
filtering does not give any damn. but, if we are to implement and then
write up a spec (yes, we have to implement before write any spec) for
rthdr0 replacement (rthdr7, i presume:-), nodes that implement ingress
filtering has to consider the above "correctness" stuff.
itojun
--------------------------------------------------------------------
IETF IPv6 working group mailing list
[email protected]
Administrative Requests: https://www1.ietf.org/mailman/listinfo/ipv6
--------------------------------------------------------------------
