[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: comment on unmanaged analysis presentation/doc



    Date:        Wed, 25 Sep 2002 09:48:33 +0200 (CEST)
    From:        Erik Nordmark <Erik.Nordmark@Sun.COM>
    Message-ID:  <Roam.SIMC.2.0.6.1032940113.14299.nordmark@bebop.france>

  | Which (widely deployed) IP tunneling system accepts encapsulated
  | packets from any source address, decapsulates them, and forwards then on
  | based on the inner source address?

The mbone used to, though whether the implementations still act that
way I'm not sure.

  | You use "loose track" in a completely different meaning than I do.
  | In the decapsulation case the IPv4 source address is not part of
  | the packet that is forwarded, hence the victim can't inspect it.

But we're assuming spoofed source addresses, inspecting them is a waste
of time.   That the encapsulating packet might have once had a valid
source address is irrelevant.

  | All the victim sees in a packet is an IPv6 source address which could
  | be arbitrarely spoofed and can't be filtered because of this.

Exactly, which is always the case.   Whether the packet was once
encapsulated or not.

  | A regular router (IPv6 or IPv4) passes on the packet unmodified.
  | Hence ingress filtering doesn't become less useful.

I now begin to suspect that you're using ingress filtering meaning
something different than I thought.   That is, are you implying that
it is being done by the ISP near the source of the packets?   Ingress
filtering there would be defeated by tunneling (any kind) unless the
filter looks inside the tunnel (which it certainly can for 6to4, unlike
some other tunnels, as the content cannot be encrypted if it is to
work).

[Aside: when discussing filtering, please make explicit where you're
expecting the filter to be installed - how effective/practical it will
be will depend upon that, filtering at an unknown location is impossible
to analyse].

But someone interested in source address spoofing doesn't connect to
an ISP that does that kind of filtering - they just connect to one that
doesn't (of which there are plenty).

So, for any practical purpose, unless you could convince the whole world
that they're required to do this kind of filtering, there is none of it
that matters to take into account.   So, it really doesn't matter that
it would be ineffective, if it were applied, because when it matters, it
isn't applied anyway.

Beyond there (the ISPs near the sourve), filtering on source addresses
is useless/impossible anyway (as protection against spoofing).

The only real practical difference that 6to4 makes to any of this is
the widely advertised anycast address for relay sites, so it is trivially
easy for anyone to find a relay to use.   For 6to4 that's a feature of
course.

For someone intent on using this relaying to achieve easier anonymous
packets, I doubt it makes any difference.   They'll find some node
somewhere that will decapsulate and forward random packets in any case.
That's what they do - find the unsuspecting victim.   6to4 relays probably
aren't what they'd use by choice, because they (shouldn't be) unsuspecting,
and are more likely to be monitoring what is happening, that some other
random node that just happens to have decapsulation implemented but
which no-one really understands.

kre