-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 09/02/2013 07:34 AM, Ole Troan wrote: >>> >>> If you read chapter 5 it starts out by explaining how RPF check >>> is always done for multicast. >>> >>> Due to the RPF check, the possibility of spoofing is >>> significantly reduced. Just like it is when using unicast RPF. >>> Hence I don't think this attack vector is that serious. >> >> That might help preventing an attacker to exploit this against >> an arbitrary system, but not against all nodes. > > would that be other nodes than yourself and nodes on the same link > as yourself?
I guess in some scenarios it might be tricky. For instance, even with link-local only multicast (as that used for ND), you can send a packet to a link-local multiast address, but sourced from any global address. Hence you can have your own network be an amplifier to attack a third party. Not to mention that if you're employing e.g. an openvpn Ethernet bridge, it becomes fuzzy what's your local link (i.e. real links vs. "virtual" link). IMO, this is the kind of feature that's "asking for trouble". IMHO, let's fix it, and move on. Cheers, - -- Fernando Gont SI6 Networks e-mail: [email protected] PGP Fingerprint: 6666 31C6 D484 63B2 8FB1 E3C4 AE25 0D55 1D4E 7492 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) iQIcBAEBAgAGBQJSJoIzAAoJEK4lDVUdTnSSorIP/jMn8htTnIsFa8hjzV56WbV+ tORPAy4IcjHhqDm28GbQzFO29T3JpfkKbhI/RGk5AD1s6A9rKIhBH6JciMSoU1+z lB8Cnv+d4yyrekI2bj4T0tSM0rINYTmDD2PhrpPSs0zCSoLffimybISuOBld1B03 V8HEcVom8p7LWWaz6d6flO10Qxg2W/VtO1RRGFHER0OBRLjriKjfijSBaNWl1m9h 3JrgoFjylNmmBZSQPaP1URHnUx/n8wMzEiAG7Oc0uHU8l1XQQFjpIYWwc58jCOds tIPUqLr60RsMNkJwd1YCmFWWws8tl8a3AVswLsEBXg+w2t8jfXIy2lT4Gkwo+VKx kAhaXg6Dg/x4KhCAnqrUet3kqmTyOYIu6n2MbbGrlz4pvyH4U7SiNQPGJI7/yrLg CQIJU4TSUAHR0ypan3oWVDmop4tnZe1jfxcUFqmeWtQ5IEBhwy5wmzKfDIwYcDe2 cS080uJx/s9eIyQtjCWD1aNSXNo5T06zbX0VLzc50LGDmWmH30PyrZDcYdW/Ig8x SrYpv/mCXJW+C3LOUGsLetoFsnmFK1QcfzAQ9Vka4BLGnd5Em3+zZBzFSsQdPHMP qrmFQnIYWEjc31n9VifLOlXU4cf9fa2isaR+KWDpUXkD2B42KwEMtGi9KAZre9tQ pRJVmtQE6Azhntlh6otb =pTp6 -----END PGP SIGNATURE----- -------------------------------------------------------------------- IETF IPv6 working group mailing list [email protected] Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6 --------------------------------------------------------------------
