Hello, Jeroen, On 08/19/2014 10:18 AM, Jeroen Massar wrote: > Hence we should formulate text a bit like: > > 8<------------------------ > When forwarding or receiving an ICMP error packet: > - The IP destination of the packet MUST match the source address > represented in the ICMP error packet. > > - The ICMP error packet's destination address must qualify uRPF rules > for the same interface as the source address.[1] > > As the verified packets are ICMP errors, when the verification fails the > packet MUST be dropped, logging is recommended. > > Due to the checking inside the ICMP portion of a packet: > Access-routers, firewalls and hosts MUST perform these checks. > Core-routers SHOULD perform these checks > > [1] When ICMP-dst address matches IP-src the check should already have > been performed by the standard uRPF check. > ------------------------>8
Should we include something alng this lines to the countermeasures listed in draft-gont-v6ops-ipv6-ehs-in-real-world, or were you thinking about something else? Thanks! Cheers, -- Fernando Gont SI6 Networks e-mail: [email protected] PGP Fingerprint: 6666 31C6 D484 63B2 8FB1 E3C4 AE25 0D55 1D4E 7492 _______________________________________________ OPSEC mailing list [email protected] https://www.ietf.org/mailman/listinfo/opsec
