(one word reply in line...) On 2009-09-16 03:34, Templin, Fred L wrote: > Brian, > >> -----Original Message----- >> From: Brian E Carpenter [mailto:[email protected]] >> Sent: Monday, September 14, 2009 9:03 PM >> To: Templin, Fred L >> Cc: v6ops; Christian Huitema; [email protected]; [email protected] >> Subject: Re: Routing loop attacks using IPv6 tunnels >> >> On 2009-09-15 04:25, Templin, Fred L wrote: >>> Brian, >>> >>>> -----Original Message----- >>>> From: Brian E Carpenter [mailto:[email protected]] >>>> Sent: Friday, September 11, 2009 6:27 PM >>>> To: Templin, Fred L >>>> Cc: v6ops; Christian Huitema; [email protected]; [email protected] >>>> Subject: Re: Routing loop attacks using IPv6 tunnels >>>> >>>> On 2009-09-12 11:12, Templin, Fred L wrote: >>>>> Brian, >>>>> >>>>>> -----Original Message----- >>>>>> From: Brian E Carpenter [mailto:[email protected]] >>>>>> Sent: Friday, September 11, 2009 4:06 PM >>>>>> To: Templin, Fred L >>>>>> Cc: Christian Huitema; v6ops; [email protected]; [email protected] >>>>>> Subject: Re: Routing loop attacks using IPv6 tunnels >>>>>> >>>>>> On 2009-09-12 09:13, Templin, Fred L wrote: >>>>>> >>>>>> (much text deleted) >>>>>> >>>>>>> Otherwise, the best solution IMHO >>>>>>> would be to allow only routers (and not hosts) on the >>>>>>> virtual links. >>>>>> This was of course the original intention for 6to4, so >>>>>> that any misconfiguration issues could be limited to presumably >>>>>> trusted staff and boxes. Unfortunately, reality has turned out >>>>>> to be different, with host-based automatic tunnels becoming >>>>>> popular. >>>>> Thanks. I was rethinking this a bit after sending, and >>>>> I may have been too premature in saying routers only >>>>> and not hosts. >>>>> >>>>> What I would rather have said was that mechanisms such as >>>>> SEcure Neighbor Discovery (SEND) may be helpful in private >>>>> addressing domains where spoofing is possible. Let me know >>>>> if this makes sense. >>>> Except for the practical problems involved in deploying SEND. >>> Can it be said that there is any appreciable operational >>> experience with SEND yet? Are there implementations? >> I'd like to know that too. >> >>>> We still have an issue in unmanaged networks. >>> By "unmanaged", how unmanaged do you mean? >> I was thinking of home networks, the kind where Teredo or >> 6to4 starts up spontaneously. Probably not a concern for >> ISATAP sites. > > OK, thanks for the clarification. I think you probably > mean home networks where the home gateway has not yet > been turned into an ISATAP router - else, it would be > a managed network. Does that sound right?
Yes Brian > > Fred > [email protected] > >> Brian >> >>> ISATAP is >>> intended for networks where there is at least some modicum >>> of cooperative management. We want that it can also be used >>> in "loosly" managed networks where there is an overall mutual >>> spirit of cooperation but where site-internal link-layer >>> address spoofing may still be possible. Can SEND be used >>> for that, or do we need something else in addition (e.g., >>> a nonce with every message)? >>> >>> Thanks - Fred >>> [email protected] >>> >>>> Brian >>>> > -------------------------------------------------------------------- >>>> IETF IPv6 working group mailing list >>>> [email protected] >>>> Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6 >>>> > -------------------------------------------------------------------- >> -------------------------------------------------------------------- >> IETF IPv6 working group mailing list >> [email protected] >> Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6 >> -------------------------------------------------------------------- > -------------------------------------------------------------------- IETF IPv6 working group mailing list [email protected] Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6 --------------------------------------------------------------------
