On Sep 9, 2010, at 7:29 PM, Mark Smith wrote: > SAVI and things like SeND are beneficial halfway measures, avoiding full > quarantining.
I would generally agree. Just like being at a cocktail party, there is no way to know just how looped a neighbor is or how it will behave in that condition. What SeND tries to do is ensure that a system uses exactly one EID on an interface (if it has several prefixes, it will have several addresses, but the lower 64 bits will be what it has a key for). What SAVI tries to do is ensure that if one system is using an address, another system doesn't try to use it also. Only works in switched networks, as it is the switch that imposes the control. On the other hand, consider privacy addresses; one could easily imagine a system periodically changing its EID, or using more than one at a time, perfectly legally. SEND would preclude that, SAVI allows for it. BTW, both apply to conversations on-LAN, the kind that ONLY go through the switch. Does that solve all problems? obviously not. It does limit the impact of certain classes of attacks. IP Source Guard, a feature from my company and also from some others, is essentially the same thing for IPv4, and appears to be popular in certain quarters. Upstream, there are two things that can be done in a router. BCP 38, whether the uRPF or filtered version, is obviously one. If one uses a registered address model in IPv6 Neighbor Discovery (eg, if a router on your LAN will only forward your packets if it has a neighbor relationship with you in the subnet in question), that similarly forces a certain level of decorum on the host. -------------------------------------------------------------------- IETF IPv6 working group mailing list [email protected] Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6 --------------------------------------------------------------------
