[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: IPv6 w.g. Last Call on "IPv6 Node Information Queries"



On Fri, 11 Jul 2003, Michael Hunter wrote:

> On Fri, 11 Jul 2003 08:00:36 +0300 (EEST)
> Pekka Savola <pekkas@netcore.fi> wrote:
> 
> [...]
> > > The other one is: if a NIQ is send to a RFC3041 address, do you reply to
> > > it? My take is that by default, you should not and have a switch to
> > > override.
> > 
> > But I fail to see any use for this.  Typically when you implement these, I
> > think they'll listen to all addresses ("any incoming packet").  It seems
> > that disabling one set of addresses and even giving users a toggle of
> > rather little value would be useless.  But of course, one might have to 
> > implement differently too.
> 
> The association between RFC3041 addresses and other addresses is what you
> want to protect.  If you let a 3rd party discover that association with
> NIQ then you've removed the little usefulness that RFC3041 addresses have.

Please re-read what you write.

What you're implying is that those you're worried about would learn your 
"true identity" and not RFC3041 would ones allowed to send NIQ's to you 
and you'd actually answer them?

Never.  Never.

I'd go as far as state that off-link NIQ's MUST be disabled by default and 
MUST NOT be enabled unless there are acccess controls specific to the 
requester (e.g. IPsec SA) which allow that.

-- 
Pekka Savola                 "You each name yourselves king, yet the
Netcore Oy                    kingdom bleeds."
Systems. Networks. Security. -- George R.R. Martin: A Clash of Kings

--------------------------------------------------------------------
IETF IPng Working Group Mailing List
IPng Home Page:                      http://playground.sun.com/ipng
FTP archive:                      ftp://playground.sun.com/pub/ipng
Direct all administrative requests to majordomo@sunroof.eng.sun.com
--------------------------------------------------------------------