[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Proposed 6to4 work (security)
I was thinking of IPv6 ingress filtering (i.e. the relay, or the ISP running the
relay, only accepts native IPv6 traffic from legitimate sources).
IPv4 is only a link layer in the 6to4 context, so you have to treat it
as transparent. Spoofing has to be handled as an IPv6 issue.
Brian
Alain Durand wrote:
>
> Brian E Carpenter wrote:
>
> >The spoofing issue is more serious; I can't see anything but some kind
> >of ingress filtering to protect against that.
> >
> This won't work. When a 6to4 relay send a packet to the 6to4 world,
> it uses it's IPv4 address as source in the outer header.
> IPv4 ingress filetering will always let it go through.
>
> When a 6to4 router receive an encapsulated packet on its external interface
> that has a native IPv6 inner src address, it can not do any security
> checks on the outer IPv4 address, as it can come from any host in the
> internet. More, as there is no mapping between the IPv4 src and
> the IPv6 src addresses, it is impossible to do any IPv6 ingress filtering.
>
> I fear there is no way to prevent spoofing.
>
> >This is why we need a 6to4 security draft in this WG.
> >
> Agreed.
>
> > Brian
> >
>
> - Alain.
--
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Brian E Carpenter
Distinguished Engineer, Internet Standards & Technology, IBM
On assignment at the IBM Zurich Laboratory, Switzerland