[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Proposed 6to4 work (security)



I was thinking of IPv6 ingress filtering (i.e. the relay, or the ISP running the
relay, only accepts native IPv6 traffic from legitimate sources). 

IPv4 is only a link layer in the 6to4 context, so you have to treat it
as transparent. Spoofing has to be handled as an IPv6 issue.

   Brian

Alain Durand wrote:
> 
> Brian E Carpenter wrote:
> 
> >The spoofing issue is more serious; I can't see anything but some kind
> >of ingress filtering to protect against that.
> >
> This won't work. When a 6to4 relay send a packet to the 6to4 world,
> it uses it's IPv4 address as source in the outer header.
> IPv4 ingress filetering will always let it go through.
> 
> When a 6to4 router receive an encapsulated packet on its external interface
> that has a native IPv6 inner src address, it can not do any security
> checks on the outer IPv4 address, as it can come from any host in the
> internet. More, as there is no mapping between the IPv4 src and
> the IPv6 src addresses, it is impossible to do any IPv6 ingress filtering.
> 
> I fear there is no way to prevent spoofing.
> 
> >This is why we need a 6to4 security draft in this WG.
> >
> Agreed.
> 
> >   Brian
> >
> 
>     - Alain.

-- 
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Brian E Carpenter 
Distinguished Engineer, Internet Standards & Technology, IBM 
On assignment at the IBM Zurich Laboratory, Switzerland