[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: comment on unmanaged analysis presentation/doc

To: Robert Elz <kre@munnari.OZ.AU>
Subject: Re: comment on unmanaged analysis presentation/doc
From: Erik Nordmark <Erik.Nordmark@sun.com>
Date: Wed, 25 Sep 2002 15:51:49 +0200 (CEST)
Cc: Erik Nordmark <Erik.Nordmark@sun.com>, v6ops@ops.ietf.org
Delivery-date: Wed, 25 Sep 2002 06:57:19 -0700
Envelope-to: v6ops-data@psg.com
Reply-to: Erik Nordmark <Erik.Nordmark@sun.com>

> The mbone used to, though whether the implementations still act that
> way I'm not sure.

Not as I recall. The MBONE had the equivalent of RFC 2893 configured
tunnels i.e. the receipient of a packet would verify the
outer source address against peer addresses in the list of configured tunnels.
Thus it didn't provide a wide open packet relay service like 6to4 relays.

> I now begin to suspect that you're using ingress filtering meaning
> something different than I thought.   That is, are you implying that
> it is being done by the ISP near the source of the packets? 

RFC 2267 is what defines ingress filtering for me.

>  Ingress
> filtering there would be defeated by tunneling (any kind) unless the
> filter looks inside the tunnel (which it certainly can for 6to4, unlike
> some other tunnels, as the content cannot be encrypted if it is to
> work).

It can be defeated by tunneling but the issue is how easy it is
for an attacker to get a 3rd party to serve as the other end of
the tunnel. All deployed IP tunneling schemes I know of requires
that the decapsulator be configured with the encapsulator's IP address.
Thus an attacker would need a cooperating 3rd party.

6to4 relays don't require this. Hence they are qualitatively different
in my mind when it comes to reducing the utility of ingress filtering.

> But someone interested in source address spoofing doesn't connect to
> an ISP that does that kind of filtering - they just connect to one that
> doesn't (of which there are plenty).
> 
> So, for any practical purpose, unless you could convince the whole world
> that they're required to do this kind of filtering, there is none of it
> that matters to take into account.   So, it really doesn't matter that
> it would be ineffective, if it were applied, because when it matters, it
> isn't applied anyway.


My understanding is that the use of ingress filtering, even though it
has lots of holes, has made attackers largely stop using spoofed addresses.
So I'm far from convinced that ingress filtering has zero utility as you 
seem to claim.

And therefor I fail to see why IPv6 transition mechanisms should give that
tool back to the attackers to use.

  Erik

Prev by Date: Re: ocean: do not boil
Next by Date: RE: ocean: do not boil
Previous by thread: Re: comment on unmanaged analysis presentation/doc
Next by thread: Re: comment on unmanaged analysis presentation/doc
Index(es):
- Date
- Thread