[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: mech-v2: decapsulation check updates
Hi,
On Thu, Feb 05, 2004 at 03:22:57PM -0000, Tom Petch wrote:
> A thought. The day before you sent this, I heard an interesting
> presentation at RIPE-47 on tunnel discovery which used host to router
> tunnels to find out how many tunnels
> there are in v6 (A: lots!) and also flagged some of the dangers, eg of ND
> packets sent direct from host to egress router. It recommended keeping
> tunnels to network edge and using GRE (didn't grasp why).
I've been there as well, and spent some time discussing this with the
author.
As far as I can see, the fears about "users could do bad things with
ND and other 'link-local' things that way" are more due to "some fuzzy
feeling that people could do bad things", and not based on hard facts.
On the other hand, address spoofing is a real threat - and as Jeroen said,
the only thing you can do about it is to make sure that IPv4 uRPF is
widely deployed...
Gert Doering
-- NetMaster
--
Total number of prefixes smaller than registry allocations: 58081 (57882)
SpaceNet AG Mail: netmaster@Space.Net
Joseph-Dollinger-Bogen 14 Tel : +49-89-32356-0
80807 Muenchen Fax : +49-89-32356-299