Re: mech-v2: decapsulation check updates

[Gert Doering <gert@space.net>]

Hi,

On Thu, Feb 05, 2004 at 03:22:57PM -0000, Tom Petch wrote:
> A thought.  The day before you sent this, I heard an interesting
> presentation at RIPE-47 on tunnel discovery which used  host to router
> tunnels to find out how many tunnels
> there are in v6 (A: lots!) and also flagged some of the dangers, eg of ND
> packets sent direct from host to egress router.  It recommended keeping
> tunnels to network edge and using GRE (didn't grasp why).

I've been there as well, and spent some time discussing this with the
author.

As far as I can see, the fears about "users could do bad things with
ND and other 'link-local' things that way" are more due to "some fuzzy
feeling that people could do bad things", and not based on hard facts.

On the other hand, address spoofing is a real threat - and as Jeroen said,
the only thing you can do about it is to make sure that IPv4 uRPF is
widely deployed...

Gert Doering
        -- NetMaster
-- 
Total number of prefixes smaller than registry allocations:  58081  (57882)

SpaceNet AG                 Mail: netmaster@Space.Net
Joseph-Dollinger-Bogen 14   Tel : +49-89-32356-0
80807 Muenchen              Fax : +49-89-32356-299