Ah, very good! Thanks for the pointer, Sam. - Christian -- Christian Vogt, Institute of Telematics, Universitaet Karlsruhe (TH) www.tm.uka.de/~chvogt/pubkey/ Sam Hartman wrote: >>>>>> "Christian" == Christian Vogt <chvogt@xxxxxxxxx> writes: > Christian> unamplified flooding would also be possible for the > Christian> attacker without HIP because the attacker could send > Christian> flooding packets with an IPv6 Routing header, directing > Christian> the packets to the correspondent node first, and from > Christian> there to the victim. To prevent this attack, the > Christian> firewall would have to look into the flooding packets' > Christian> extension headers since the IPv6 header would > Christian> (legitimately) include the correspondent node's IP > Christian> address. > > > Take a look at the v6ops IPV6 security overvew document. It > recommends dropping most routing headers to avoid this sort of attack. > _______________________________________________ Ietf@xxxxxxxx https://www1.ietf.org/mailman/listinfo/ietf