Hi, > > Le 21 janv. 2010 à 10:31, WashamFan a écrit : > > > > > If 6rd-A and 6rd-B belong to the same 6rd domain, I don't see the > routing > > loops. > > > > This a limit case, but if a BR accepts tunnels toward other BRs of > the > same > > domain, an IPv6 Internet host with a spoofed source address can > initiate a > loop: > > > > v6dst = v6src = PA.Aa > > > > +------------------------+ > > | ====> | > > | | > > | IPv6 Internet | > > | | > > +------+-----------+-----+ > > | | > > |prefix PA |prefix PA > > +--+--+ +--+--+ > > +---+6rd-A+-----+6rd-B+--+ > > | +-----+ +-----+ | > > | address Aa address Aa | > > | <==== | > > | | > > | IPv4 ISP | > > +------------------------+ > > > > Assuming 6rd-A receives a packet with v6dst = v6src = PA.Aa.x from > the IPv6 > Internet, will it forward a tunneled packet (after 6rd encapsulation) > whose > IPv4 destination address is itself (i.e., the anycase address Aa)? By > the > way, if the strict uRPF is enabled on 6rd-A, the above IPv6 packet > should be > dropped before performing 6rd encapsulation. Correct?
That is exactly the reason why I said no routing loop between BRs in the same 6rd domain. Note that even the attacker use the unicast address instead of the anycast address, it does not work either. washam _______________________________________________ Softwires mailing list [email protected] https://www.ietf.org/mailman/listinfo/softwires
