On 2014-08-19 14:35, Fernando Gont wrote: [..] >> Though, one would have to inspect the ICMPv6 packet too then.... > > Agreed. You need to apply ICMPv6 to the embedded payload...
But also for ICMPv4, which has similar attacks. Hence we should formulate text a bit like: 8<------------------------ When forwarding or receiving an ICMP error packet: - The IP destination of the packet MUST match the source address represented in the ICMP error packet. - The ICMP error packet's destination address must qualify uRPF rules for the same interface as the source address.[1] As the verified packets are ICMP errors, when the verification fails the packet MUST be dropped, logging is recommended. Due to the checking inside the ICMP portion of a packet: Access-routers, firewalls and hosts MUST perform these checks. Core-routers SHOULD perform these checks [1] When ICMP-dst address matches IP-src the check should already have been performed by the standard uRPF check. ------------------------>8 But then in better wording to avoid dis-ambiguity of which src/dst is which (the one in IP or ICMP) >> Hmm, maybe time to test that out in sixxsd... > > Just taking my chance to thank you for sixxsd! ;-) Unfortunately that is only usable for a very small base of connectivity and hopefully one day will stop to be needed. The big brands needs to implement it. And it much more difficult to push out updates to devices which are not under one's control and where one has a very large deployed base. Greets, Jeroen _______________________________________________ OPSEC mailing list [email protected] https://www.ietf.org/mailman/listinfo/opsec
