Fernando, > > would that be other nodes than yourself and nodes on the same link > > as yourself? > > I guess in some scenarios it might be tricky. > > For instance, even with link-local only multicast (as that used for > ND), you can send a packet to a link-local multiast address, but > sourced from any global address. Hence you can have your own network > be an amplifier to attack a third party.
yes, but there are many other ways of doing that, and e.g. ping ff02::1 with victims source address would be a lot more effective. > Not to mention that if you're employing e.g. an openvpn Ethernet > bridge, it becomes fuzzy what's your local link (i.e. real links vs. > "virtual" link). a virtual link is as good as any other in this context. > IMO, this is the kind of feature that's "asking for trouble". IMHO, > let's fix it, and move on. I for one would like to see attack vectors outside the local link before supporting adopting this document. cheers, Ole
signature.asc
Description: Message signed with OpenPGP using GPGMail
-------------------------------------------------------------------- IETF IPv6 working group mailing list ipv6@ietf.org Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6 --------------------------------------------------------------------