Tom Lane said:
> Jan Wieck <JanWieck@Yahoo.com> writes:
>> So either we do the random signature thing, which I would favor as a
>> one time be all, end all solution - or you do the actual from-address
>> based implementation by restoring the old IPV4 behaviour and adding
>> correct IPV6 behaviour.
>
> My feeling at this point is that it's not worth spending any effort on.
> But if someone wants to expend effort, let's go with Jan's
> random-signature idea. That is simple, unquestionably portable, and
> AFAICS it defends against more than the source-address check would
> defend against, even after we got it right. (Consider spoofed packet
> source addresses.)
>
I see that currently the check has been removed rather than fixed.
If someone can spoof the packet address isn't there also a possibility
that they can read your packets and see your random signature?
I'm not clear what would be gained by an attacker being able to insert
such spoofed packets into the stream, though. IOW, how big is the security
threat?
cheers
andrew