Ingress Filtering
Click on the red underlined text to get to the source
... deployment of
IPv4 ingress filtering [RFC3704]. The reason threat (2) exists is
that the IPv6 packet ...
... IPv4 and hence may escape
IPv6 ingress filtering. [RFC4213] specifies the following strict
address ...
... decapsulator may also implement
IPv4 ingress filtering, i.e., check whether the packet is received
on a legitimate interface.
...
...
This shortcoming can be partially mitigated by IPv6 ingress
filtering, i.e., check that the packet is arriving from the interface
in the direction of the route ...
... SA is not generally feasible. IPv6
ingress filtering must be performed to mitigate the IPv6 address
spoofing ...
... IPv6 spoofing must be prevented, and setting up ingress filtering may
require some amount of manual configuration; see more of these
...
... This document assumes that tunnels are manually configured on both
sides and the ingress filtering is manually set up to discard spoofed
packets.
...
... Source address spoofing can be
limited by enabling ingress filtering on the tunnel interface.
...
... traffic gets sent over the
tunnel. Ingress filtering must be separately applied on the
tunnel interface ...
... multicast is not possible over
such a tunnel. Ingress filtering is performed automatically by
the IPsec traffic ...
... traffic selectors.
Ingress filtering is guaranteed by IPsec processing when option (2)
is chosen, whereas the operator has to enable it explicitly when
...