Hi, Remi, Thanks so much for your comments! -- Please find my responses inline....
> As far as I understand, the attack in §2.1 requires that the victim processes > an IPv4 packets whereby both source and destination are equal to a local > assigned address. Any sane IPv4 stack will reject such a packet, unless it > comes from the loop back. I'd probably agree, but: do stacks actually reject those packets? -- For instance, this attack seems to be effective against MS Teredo implementation.... > The recommendation in §2.1.2 basically states that Teredo relays should not > exist. That would formally make Teredo an isolated IPv6 island. Then there's > not much point in Teredo. Not sure why you think so. I'm basically arguing that if your node is multihomed, it should not use the Teredo node to route packets e.g. received from the local LAN over the Teredo tunnel towards the Internet. -- for instance, these packets would not pass the source address verification checks, anyway! Same thing in the opposite direction: what you receive over the Teredo tunnel should be destined to yourself, not to other nodes in the LAN. > As for the attack in §2.2, I think it was already discussed here: > http://www.ietf.org/mail-archive/web/ipv6/current/msg10801.html Will take a look. > But again, it seems to assume the IPv4 stack accepts packets with its own > source address yet coming from the outside. What do you think about the proposed countermeasure? Thanks! Kind regards, -- Fernando Gont e-mail: [email protected] || [email protected] PGP Fingerprint: 7809 84F5 322E 45C7 F1C9 3945 96EE A9EF D076 FFF1 -------------------------------------------------------------------- IETF IPv6 working group mailing list [email protected] Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6 --------------------------------------------------------------------
