[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: comment on unmanaged analysis presentation/doc



> We can't do that - the only reason for having a 6to4 site is to be able
> to communicate with the rest of the IPv6 universe.   We can't restrict that
> to the subset of that universe who are using 6to4.

Understood.

But that means that 6to4 provides the ultimate packet laundering service
for source address spoofing that a combination of IPv4 and IPv6 ingress
filtering can not prevent.

If an attacker wants to spoof the source address of IPv6 packets
it can just send
	IPv4 src = its own address
	IPv4 dst = victim 6to4 site
	IPv6 src = anything it desires
	IPv6 dst = victim host

Any IPv4 ingress filtering will happily let such packets through since
the IPv4 src is not spoofed.
The 6to4 router at the victim's site will blindly decapsulate and
loose all track of the IPv4 source.
The victim might be able to insert a probe (after noticing the attack)
at its 6to4 router and see the IPv4 source.
But presumably this mechanism could also use helpful 6to4 relays
as intermediaries where the original IPv4 source address would be lost
at the relay and the victim has no easy way to install a probe at the relay
since it is likely to be operated by some remote entity in the internet.

This has me concerned. We don't need more wide-open relays
than the once we already have at various protocol layers in the Internet.

An approach for handling native to 6to4 site communication differently
would be for the 6to4 site to explicitly establish a bidirectional tunnel
(which can be authenticated etc) with a relay, and have that
cause the relay to announce the /48 prefix into IPv6 routing.
Then packets from native addresses would only arrive over that bidirectional 
tunnel. (And 6to4 sites could communicate with eachother using the direct
path i.e. when the IPv4 source of the packet matches the IPv6 source
of the packet this is safe; otherwise tunnel to the designated relay).
But that implies some additional configuration (need to find a relay which
is willing to server) and potentially lots of /48 routes being passed
around.

  Erik