tech-net archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Re: ICMPv6 redirects



On Mon, 7 Sep 2009 19:59:32 -0400 (EDT)
der Mouse <mouse%Rodents-Montreal.ORG@localhost> wrote:

> > I do understand why this is implemented this way.  But shouldn't
> > this be tunable?
> 
> That depends on the extent to which you agree with the point of view
> that the IPv6 design people know better than you do how your network
> should be set up.  I've run into parallel issues myself often enough;
> I've been told everything from I should always use prefixlen 64 to I
> should never do static routing.
> 
> I prefer not to drink the koolaid.  I work on the "as if" principle:
> if you can't tell from the outside whether I'm doing it, it's not
> appropriate to gratuitously forbid it.
> 
> But, of course, I didn't write the code, and if I did write code that
> implements that I, um, doubt it would be accepted, shall we say.
> 
In this case, though, there's a security issue, though arguably one
that's not a lot more serious than Neighbor Discovery without SEND.


                --Steve Bellovin, http://www.cs.columbia.edu/~smb


Home | Main Index | Thread Index | Old Index