[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [RRG] Re: Six/One Router revised 2008-07-12 - IPsec

To: "Robin Whittle" <rw@firstpr.com.au>, "Christian Vogt" <christian.vogt@nomadiclab.com>, "Routing Research Group" <rrg@psg.com>
Subject: RE: [RRG] Re: Six/One Router revised 2008-07-12 - IPsec
From: "Templin, Fred L" <Fred.L.Templin@boeing.com>
Date: Fri, 8 Aug 2008 13:10:32 -0700
In-reply-to: <489B21AE.9040104@firstpr.com.au>
References: <4890A413.10301@firstpr.com.au> <87D0D6EE-3D75-4C4F-BABA-383155294D33@nomadiclab.com> <489B21AE.9040104@firstpr.com.au>

Robin,

>Hosts should be very fussy about accepting ICMPv6 Error Messages, to
>protect against an off-path attacker guessing the values of packets
>recently sent and thereby successfully launching a DoS by sending
>spoofed ICMPv6 Error Message packets to the sending host.

Said another way, an approach in which hosts within
a site rely on PMTU messaging from anonymous routers
outside of the site is fragile at best and susceptible
to spoofing attacks. (The same is not true when hosts
only need to rely on PMTU messaging from trusted
routers within the site.)

Fred
fred.l.templin@boeing.com

--
to unsubscribe send a message to rrg-request@psg.com with the
word 'unsubscribe' in a single line as the message text body.
archive: <http://psg.com/lists/rrg/> & ftp://psg.com/pub/lists/rrg

References:
- [RRG] Six/One Router revised 2008-07-12
  - From: Robin Whittle <rw@firstpr.com.au>
- [RRG] Re: Six/One Router revised 2008-07-12
  - From: Christian Vogt <christian.vogt@nomadiclab.com>
- Re: [RRG] Re: Six/One Router revised 2008-07-12 - IPsec
  - From: Robin Whittle <rw@firstpr.com.au>

Prev by Date: Re: [RRG] GLI-Split
Next by Date: Re: [RRG] Re: Does every host need a FQDN name in the future?//re:[RRG] draft-rja-ilnp-intro-01.txt
Previous by thread: Re: [RRG] Re: Six/One Router revised 2008-07-12 - IPsec
Next by thread: [RRG] FLOWv6: IPv6 Flow Label to control DFZ forwarding
Index(es):
- Date
- Thread