Vishwas Manral wrote: > Hi David, > >> I think I agree with Francis, that it doesn't really matter. >> However, it is probably worth noting that your check does not >> prevent the attack either. If you can find 128 live addresses >> on either side of the router you can carry out the attack >> without listing any address twice. >> >> (I guess you might want to use a routing header that traverses >> a single router a few times to get a better estimate of the RTT >> through that router.) > That is a very interesting point and I did not see it that way. However > we should note down the attack in the draft even if we do not know how > best to solve it (we are tracking security considerations for IPv6). If you want to 'solve' this attack then *IGNORE* the Routing Header. Or at least sent a ICMP parameter problem back to the sending host. One can always do a traceroute and use the path shown in reverse or a bit mixed to create a nice loop already. Personally I don't see much use for a Routing Header but there are apparently folks who have a use for them other than abuse. Greets, Jeroen
Attachment:
signature.asc
Description: OpenPGP digital signature