[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Proposed 6to4 work (security)




Brian E Carpenter wrote:

The spoofing issue is more serious; I can't see anything but some kind
of ingress filtering to protect against that.

This won't work. When a 6to4 relay send a packet to the 6to4 world,
it uses it's IPv4 address as source in the outer header.
IPv4 ingress filetering will always let it go through.

When a 6to4 router receive an encapsulated packet on its external interface
that has a native IPv6 inner src address, it can not do any security
checks on the outer IPv4 address, as it can come from any host in the
internet. More, as there is no mapping between the IPv4 src and
the IPv6 src addresses, it is impossible to do any IPv6 ingress filtering.

I fear there is no way to prevent spoofing.

This is why we need a 6to4 security draft in this WG.

Agreed.

  Brian


   - Alain.