> On Dec 5, 2018, at 5:54 AM, Nick Hilliard <nick@xxxxxxxxxx> wrote: > > Joe Touch wrote on 05/12/2018 13:12: >> The choices below don’t include declaring this a security risk and >> turning it off. >> If you want to change the standard, do so. But this isn’t a step >> isn’t that direction. And the previous attempts only show why IPv6 >> has adoption problems. >> The standard can still be changed, but regardless, this simply is not >> a security issue and shouldn’t be sold as one. > If J Random Hacker in his mom's basement can launch an attack which takes down your network core because your management planes can't handle 1Tbit, or more realistically 10gbit, of HBH packets, then that is categorically a network security issue, even if it is a secondary effect. So every SNMP packet is an attack as well? As is every routing packet? A security issue is created when a packet can cause *disproportionate* load. Otherwise it’s just called load. The security issue is the implementation not throttling such packets to avoid having 10G of them shutting down the control plane. Yes, that’s a security issue, but it’s not the fault of the HBH packets. Joe
