Hi, Suresh, Thanks so much for your comments! -- Please see inline...
On 03/15/2013 01:30 PM, Suresh Krishnan wrote: > Hi Fernando, > While I am supportive of getting rid of ICMPv6 responses for 10xxxxxx > options, I am not at all sure about how probable this attack is. My > understanding is that for this attack to work, the following two > conditions need to be met. > > a) Ingress filtering MUST NOT be enabled on the attacker side > b) multicast RPF on the path MUST NOT catch the packet and throw it away > > Is my understanding correct? Yes, it's correct. However, as noted on the "Next steps with draft-ong-t6man-preditable-fragment-id", one usually cannot rely on such filtering. That's mostly why e.g. reflection attacks are still an issue. Thanks, -- Fernando Gont SI6 Networks e-mail: [email protected] PGP Fingerprint: 6666 31C6 D484 63B2 8FB1 E3C4 AE25 0D55 1D4E 7492 -------------------------------------------------------------------- IETF IPv6 working group mailing list [email protected] Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6 --------------------------------------------------------------------
