Re: NIST IPv6 document

[Mikael Abrahamsson <swmike () swm pp se>]

On Thu, 6 Jan 2011, Lamar Owen wrote:

> Ok, perhaps I'm dense, but why is the router going to try to find a host 
> that it already doesn't know based on an unsolicited outside packet? 
> Why is the router trusting the outside's idea of what addresses are 
> active, and why isn't the router dropping packets on the floor destined 
> to hosts on one of its interfaces' local subnets that it doesn't already 
> know about?

Because the standard says it should do that.

> If the packet is a response to a request from the host, then the router 
> should have seen the outgoing packet (or, in the case of HSRP-teamed 
> routers, all the routers in the standby group should be keeping track of 
> all hosts, etc) and it should already be in the neighbor table.

Are you trying to abolish the end to end principle of the Internet by 
implementing stateful firewalls in all routers?

> Like I said, perhaps I'm dense and ignorant and just simply 
> misunderstanding the issue, but I still find it hard to believe that a 
> router would blindly trust an outside address to know about an inside 
> address that is not already in the router's neighbor table.

That's how it's always worked, both for v4 and v6.

--
Mikael Abrahamsson    email: swmike () swm pp se