Re: [v6ops] I-D Action: draft-ietf-v6ops-design-choices-04.txt

Philip Matthews <> Thu, 19 February 2015 19:07 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id 3C5AD1A005C for <>; Thu, 19 Feb 2015 11:07:49 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -0.5
X-Spam-Status: No, score=-0.5 tagged_above=-999 required=5 tests=[BAYES_05=-0.5, RCVD_IN_DNSWL_NONE=-0.0001] autolearn=ham
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id 8BshbPUqDHvK for <>; Thu, 19 Feb 2015 11:07:47 -0800 (PST)
Received: from ( []) by (Postfix) with ESMTP id 841C71A1EEF for <>; Thu, 19 Feb 2015 11:07:39 -0800 (PST)
Received: from [] (helo=[]) by with esmtpa (Exim 4.72) (envelope-from <>) id 1YOWRm-0001Rv-7D; Thu, 19 Feb 2015 14:07:38 -0500
Mime-Version: 1.0 (Apple Message framework v1085)
Content-Type: text/plain; charset=us-ascii
From: Philip Matthews <>
In-Reply-To: <>
Date: Thu, 19 Feb 2015 14:07:36 -0500
Content-Transfer-Encoding: quoted-printable
Message-Id: <>
References: <> <>
To: Brian E Carpenter <>
X-Mailer: Apple Mail (2.1085)
X-Authenticated: philip_matthews - ([]) []
Archived-At: <>
Subject: Re: [v6ops] I-D Action: draft-ietf-v6ops-design-choices-04.txt
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: v6ops discussion list <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Thu, 19 Feb 2015 19:07:49 -0000

Hi Brian:

I personally do not know of a way to get a packet to a link-local address on a different link unless the routers in-between are very very broken. However, I think the discovery a couple of years ago that most routers happily forwarded packets with link-local _source_ addresses surprised people, even though in hindsight it should not have. And security folk (and researchers!) are always leery of absolute statements like "This is impossible". So when Jen Lincova requested that we soften the wording around link-local address security (in her comments at the mike during the Honolulu session), I was happy to comply.  Hence the text below, and similar changes in a couple of other spots.

- Philip

On 2015-02-18, at 17:51 , Brian E Carpenter wrote:

>> It is very difficult to impossible to ping a link-local address
>> from a device that is not on the same subnet. This is a	
>> troubleshooting disadvantage, though it can also be viewed as a
>> security advantage.
> I am puzzled by how it could ever be possible at all.
> Link-local addresses are by definition meaningless off
> the link in question, and they should never even be known by
> any node on another link. (And of course it gets even more
> complicated on devices with several interfaces, such as routers,
> since a link local address is only meaningful with a ZoneID,
> and that is a node-specific value, meaningless to other nodes
> on the *same* link.)
>   Brian
> _______________________________________________
> v6ops mailing list