>> This ambiguity creates chances to malicious party to trick victim nodes. >> Here are a couple of examples: >How are these any different than with IPv4? I can send bad source >addresses in IPv4 just as easily as in IPv6. IPv6 might even make it >easier to do, e.g., reverse-path filtering (less prefixes to worry >about). the key difference is that it may be possible to circumvent IPv4 filters by using IPv4 mapped address (= IPv6 address like ::ffff:1.2.3.4). the problem is in additional complexity due to the interaction between IPv4 packet and IPv6 API/packet. >Any kernel that takes a packet saying it is from the local host >off the wire is broken. >Any firewall that allows through a packet from the Internet saying >it is from the LAN is broken. i agree with these, but some of the specifications (like SIIT) assume the use of IPv4 mapped address on wire, making it harder for firewalls/hosts to deal with bad addresses. itojun
