At Tue, 19 Aug 2014 09:00:15 -0300, Fernando Gont <[email protected]> wrote:
> you could essentially DoS traffic between them > > As noted in the I-D, the mitigations seem to be: > > 1) Artificially limit your packets to 1280, and drop all incoming ICMPv6 > PTB, or, > > 2) Have your device just drop ICMPv6 PTB that claim a Next-Hop MTU > smaller than 1280. > > Thoughts? In my general understanding, ICMPv6 PTB with the MTU < 1280 could be only (at least in practice) used for the "stateless" type of IPv4/v6 translators so that the IPv6-only host can give the translator a hint for the 16-bit IPv4 header ID value. Am I correct? If so, one possible alternative would be to drop such ICMPv6 PTB unless the source IPv6 address is one of those reserved for such use (as defined in RFC 6052). Then we can at least reduce the problem to source address spoofing. And, unless/until we heavily rely on such types of translators, this may be actually sufficient in practice, since in the vast majority of legitimate cases we should use different addresses than those special ones. -- JINMEI, Tatuya _______________________________________________ OPSEC mailing list [email protected] https://www.ietf.org/mailman/listinfo/opsec
