[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Proposed 6to4 work (security)



On Wed, 16 Oct 2002, Alain Durand wrote:
> >The source IPv4 address could be '192.88.99.1'.  If this was mandated, 
> >perhaps some checks would be easier.  On the other hand, certain things 
> >(ones that were also criticized by IESG in Shipworm..) would appear.
> >
> 
> How could you make regular IPv4 ingress filtering work?
> If you create an exception fo 192.88.99.1, anybody could
> impersonate a 6to4 relay, if you don't, packets will
> never reach destination...

There are no need for any ingress filtering (implementation) exceptions.

Only, you can't run 6to4 relay unless your upstream allows you to use that
IP address.  But that's, in my mind, in line with proper operational
procedures anyway.  It depends much on who's expected to run relays,
though.

With this what we could achieve is that to spoof these packets, the 
spoofer would have to be either in an area where there is no ingress 
filtering at all (ie. core, usually -- and there direct ipv6 spoofing 
would be equally useful) or where it has been explicitly allowed.

The only real problem comes in certain cases if you're using unicast RPF,
I enumerated these a year or so ago in a mail to Brian Carpenter and 
ngtrans.

There are other options, some more scalable than others (like running
multihop eBGP between "trusted" relays and propagating more specifics
between them only -- in this way 6to4 sites could have total control and
there could be a trust relationship between site <-> relay).

-- 
Pekka Savola                 "Tell me of difficulties surmounted,
Netcore Oy                   not those you stumble over and fall"
Systems. Networks. Security.  -- Robert Jordan: A Crown of Swords