[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Hop Limit in Inner Header (IPv6)

To: pcurran@ticl.co.uk (Peter Curran)
Subject: Re: Hop Limit in Inner Header (IPv6)
From: Michael Richardson <mcr@sandelman.ottawa.on.ca>
Date: Tue, 21 Apr 1998 15:59:49 -0400 (EDT)
Cc: ipsec@tis.com
In-Reply-To: <Version.32.19980421200326.00dcfd10@gate> from "Peter Curran" at Apr 21, 98 08:20:55 pm
Sender: owner-ipsec@ex.tis.com

Peter> of the protocol design is that all NDP messages can only be received from
Peter> the link to which you are fastened (physically or logically).  By setting
Peter> the HL to 255, an attempt to spoof an NDP message by forwarding it onto the
Peter> link can be detected.  *IF* IPSEC, using tunnel mode ESP, is to be used for
Peter> NDP then it is essential that this behaviour is maintained.
> 
Peter> Of course, there may not be a need to use IPSEC in this mode for this purpose.

  It would seem that there this is something that a v6 implementation 
should simply not do. My reading of the NDP document suggests that most
NDP stuff is done with multicast, and is intended to be used on physical
links only.
  I don't really see the worry. 
  If for some reason one wanted to tunnel NDP datagrams through an ESP
tunnel between two link-local machines, the HL on the ESP packet should
probably be set to 255, and checked at the other end.

References:

Re: Hop Limit in Inner Header (IPv6)

From: Peter Curran <pcurran@ticl.co.uk>

Prev by Date: Re: Hop Limit in Inner Header (IPv6)
Next by Date: IPsec 41st IEEE meeting
Prev by thread: Re: Hop Limit in Inner Header (IPv6)
Next by thread: Re: Hop Limit in Inner Header (IPv6)
Index(es):
- Main
- Thread