At Thu, 21 Aug 2014 03:24:34 -0300, Fernando Gont <[email protected]> wrote:
> >> [...] The one you suggested addresses > >> only one of the two kinds of translators (if I understood correctly), > >> and may still leave the door open in some scenarios. > > > > Specifically? > > Well, you can only really apply the suggested check to the stateless > translation scenario. Yes, and I thought we'd be okay with that, based on the assumption/understanding that PTB<1280 is only useful for stateless translation scenarios (and that's why I first asked this in my very original message of this thread). > But since a host does not now where it will be > deployed, it cannot (out of the box) require that e.g. ICMPv6 PTB<1280 > use any specific part of the address space. > > Put another way, the mitigation would not "just work out of the box" for > any of the servers running on the public Internet. > > And then, for the scenarios "a" or "c" from Section 2 of RFC6144, you > still need to enforce filtering to prevent attacks within the IPv6 network. Do you mean this mitigation isn't effective if the well-known prefix (64:ff9b::/96) isn't used for the IPv4-Embedded IPv6 Addresses in the stateless translation scenario? If so, that's correct, and I have to confess I don't remember all details and variations of translation technologies and I assumed that stateless translation always uses the well-known prefix. Maybe I was incorrect about that? -- JINMEI, Tatuya _______________________________________________ OPSEC mailing list [email protected] https://www.ietf.org/mailman/listinfo/opsec
