[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: comment on unmanaged analysis presentation/doc

To: Robert Elz <kre@munnari.OZ.AU>
Subject: Re: comment on unmanaged analysis presentation/doc
From: Erik Nordmark <Erik.Nordmark@Sun.COM>
Date: Wed, 25 Sep 2002 09:48:33 +0200 (CEST)
Cc: Erik Nordmark <Erik.Nordmark@Sun.COM>, v6ops@ops.ietf.org
Delivery-date: Wed, 25 Sep 2002 00:51:16 -0700
Envelope-to: v6ops-data@psg.com
Reply-to: Erik Nordmark <Erik.Nordmark@Sun.COM>

>   | But that means that 6to4 provides the ultimate packet laundering service
>   | for source address spoofing that a combination of IPv4 and IPv6 ingress
>   | filtering can not prevent.
> 
> Not really any more than any other IP tunnel system does.

Which (widely deployed) IP tunneling system accepts encapsulated
packets from any source address, decapsulates them, and forwards then on
based on the inner source address?

> yes.   Just as a pure IPv6 router will blindly pass on a native IPv6
> packet and loose all track of the IPv6 source (as does IPv4).  The only

You use "loose track" in a completely different meaning than I do.
In the decapsulation case the IPv4 source address is not part of
the packet that is forwarded, hence the victim can't inspect it.
All the victim sees in a packet is an IPv6 source address which could
be arbitrarely spoofed and can't be filtered because of this.

A regular router (IPv6 or IPv4) passes on the packet unmodified.
Hence ingress filtering doesn't become less useful.
When decapsulation from arbitrary source addresses with out strong checks
between the inner and outter source is deployed ingress filtering becomes
completely ineffective.

  Erik

Prev by Date: draft on v6 firewalling
Next by Date: Re: comment on unmanaged analysis presentation/doc
Previous by thread: Re: comment on unmanaged analysis presentation/doc
Next by thread: Re: comment on unmanaged analysis presentation/doc
Index(es):
- Date
- Thread