[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Hop Limit in Inner Header (IPv6)
Peter> of the protocol design is that all NDP messages can only be received from
Peter> the link to which you are fastened (physically or logically). By setting
Peter> the HL to 255, an attempt to spoof an NDP message by forwarding it onto the
Peter> link can be detected. *IF* IPSEC, using tunnel mode ESP, is to be used for
Peter> NDP then it is essential that this behaviour is maintained.
>
Peter> Of course, there may not be a need to use IPSEC in this mode for this purpose.
It would seem that there this is something that a v6 implementation
should simply not do. My reading of the NDP document suggests that most
NDP stuff is done with multicast, and is intended to be used on physical
links only.
I don't really see the worry.
If for some reason one wanted to tunnel NDP datagrams through an ESP
tunnel between two link-local machines, the HL on the ESP packet should
probably be set to 255, and checked at the other end.
References: