[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Proposed 6to4 work (security)



On Wed, 16 Oct 2002, Alain Durand wrote:
> Brian E Carpenter wrote:
> 
> >The spoofing issue is more serious; I can't see anything but some kind
> >of ingress filtering to protect against that.
> >
> This won't work. When a 6to4 relay send a packet to the 6to4 world,
> it uses it's IPv4 address as source in the outer header.
> IPv4 ingress filetering will always let it go through.

The source IPv4 address could be '192.88.99.1'.  If this was mandated, 
perhaps some checks would be easier.  On the other hand, certain things 
(ones that were also criticized by IESG in Shipworm..) would appear.

That's what it is in our publicly usable (as far from the US and Japan, 
even) relay.
 
> When a 6to4 router receive an encapsulated packet on its external interface
> that has a native IPv6 inner src address, it can not do any security
> checks on the outer IPv4 address, as it can come from any host in the
> internet. More, as there is no mapping between the IPv4 src and
> the IPv6 src addresses, it is impossible to do any IPv6 ingress filtering.
> 
> I fear there is no way to prevent spoofing.

See above: it's not complete, but at least it's something.

-- 
Pekka Savola                 "Tell me of difficulties surmounted,
Netcore Oy                   not those you stumble over and fall"
Systems. Networks. Security.  -- Robert Jordan: A Crown of Swords