Re: Fwd: New Version Notification for draft-hinden-ipv4flag-00.txt

Fernando Gont <> Sat, 18 November 2017 15:32 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 35B6A127337 for <>; Sat, 18 Nov 2017 07:32:11 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: 1.075
X-Spam-Level: *
X-Spam-Status: No, score=1.075 tagged_above=-999 required=5 tests=[DATE_IN_PAST_03_06=1.076, SPF_PASS=-0.001] autolearn=no autolearn_force=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id IOB8LaagGZim for <>; Sat, 18 Nov 2017 07:32:09 -0800 (PST)
Received: from ( [IPv6:2001:67c:27e4::14]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 814EE126DCA for <>; Sat, 18 Nov 2017 07:32:09 -0800 (PST)
Received: from [] (unknown []) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPSA id ACE55800DD; Sat, 18 Nov 2017 16:31:57 +0100 (CET)
Subject: Re: Fwd: New Version Notification for draft-hinden-ipv4flag-00.txt
To: Michael Richardson <>, IPv6 List <>
Cc: Bob Hinden <>
References: <> <> <>
From: Fernando Gont <>
Message-ID: <>
Date: Sat, 18 Nov 2017 20:00:09 +0800
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.4.0
MIME-Version: 1.0
In-Reply-To: <>
Content-Type: text/plain; charset=utf-8
Content-Language: en-US
Content-Transfer-Encoding: 7bit
Archived-At: <>
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "IPv6 Maintenance Working Group \(6man\)" <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Sat, 18 Nov 2017 15:32:11 -0000

On 11/17/2017 10:49 PM, Michael Richardson wrote:
> Bob Hinden <> wrote:
> The security consideration discusson went something like this:
>     - this is a trivial DOS if there is really an IPv4 network
>     - hosts that want to do v4 must therefore take this as advice, rather
>       than gospel, and try the IPv4 anyway.
>     - since they will try the IPv4 anyway, the goal of shutting them up
>       fails.
> However, I am enthusistic about such a flag, even if it is advice only and
> everyone has to ignore it for security reasons.  It announces a desired
> policy for the router issuing it.  It says, "I do not offer native IPv4"
> It can moderate the hosts' enthuasiam for finding an IPv4, can ask the human
> for advice, and if you want to mount a DOS against the IPv4 network, just use
> DHCPv4 as people do now.

It is not the same: the IPv5 could be protected sith something a la
dhcp-snooping, and unprotected nn the IPv6 side. And this mechanism
could allow an IPv4 DoS where otherwise not possible.

Note: The above is *not* an argument against this proposal, but rather
feedback aimed at raising awareness about possible issues. The above
should be described in the Sec Cons section.

Fernando Gont
SI6 Networks
PGP Fingerprint: 6666 31C6 D484 63B2 8FB1 E3C4 AE25 0D55 1D4E 7492