[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: comment on unmanaged analysis presentation/doc
> | But that means that 6to4 provides the ultimate packet laundering service
> | for source address spoofing that a combination of IPv4 and IPv6 ingress
> | filtering can not prevent.
>
> Not really any more than any other IP tunnel system does.
Which (widely deployed) IP tunneling system accepts encapsulated
packets from any source address, decapsulates them, and forwards then on
based on the inner source address?
> yes. Just as a pure IPv6 router will blindly pass on a native IPv6
> packet and loose all track of the IPv6 source (as does IPv4). The only
You use "loose track" in a completely different meaning than I do.
In the decapsulation case the IPv4 source address is not part of
the packet that is forwarded, hence the victim can't inspect it.
All the victim sees in a packet is an IPv6 source address which could
be arbitrarely spoofed and can't be filtered because of this.
A regular router (IPv6 or IPv4) passes on the packet unmodified.
Hence ingress filtering doesn't become less useful.
When decapsulation from arbitrary source addresses with out strong checks
between the inner and outter source is deployed ingress filtering becomes
completely ineffective.
Erik