On 17 jul 2009, at 20:29, Dave Thaler wrote:
In the NAT64 case that would mean that a fake NAT64 tries to spoof the source addresses (that encode IPv4 addresses) of the real NAT64.
Now you lost me. If a NAT64 (whether stateless or stateful) uses a CGA, then it can be validated as being the legitimate source of an IPv6 packet (that was translated from IPv4). Another IPv6 source cannot spoof such traffic.
This can arguably be useful if the first packet originates from the real or fake NAT64. But that would be rare, the first packet comes from the client host. If this host can be tricked into sending packets to the fake NAT64, there's not much point in doing a CGA check for the return traffic: even if the client knows the traffic is fake the fact that the traffic was directed to the fake NAT64 in the first place creates a successful denial of service.
-------------------------------------------------------------------- IETF IPv6 working group mailing list [email protected] Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6 --------------------------------------------------------------------
