[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: 6to4 security questions



Pekka,

My fundamental question since the 6to4 spoofing issue was first 
raised is whether this exposure to spoofing is a *significant*
addition to the generic exposure. If you were a spoofer, would
you really bother spoofing 6to4 rather than just plain spoofing? So
my feeling is that we really need more general work on anti-v6-spoofing, 
with this viewed as once case among many. 

I am reluctant to see us publish an RFC containing specific
heuristics for the 6to4 case until we have really looked at
spoofing in general.

   Brian

Pekka Savola wrote:
> 
> Hello,
> 
> The most important part (how to go forward) got cut-off at the meeting, so
> I'm hoping to be able to hear some thoughts on the 6to4 security issues.
> 
> * The most important thing:
>  ==> document the existing problems and declare done or try to invent
> bigger fixes for the problems?
> 
> * Draft has two parts
>  - relay spoofing troubles
>  - 6to4 usage analysis, guidelines for sec considerations
> implementation etc.
>  ==> keep these separate or not? (the second are IMO ready)
> 
> * Is the relay problem (spoofing from 2001::/16) something we need to
> worry about?
>  - after all, you probably can spoof the source addresses without 6to4
> too..
>  ==> if yes, how much effort should we put into it?
> 
> * Should we analyze the DoS attacks (abusing relays) whether anything can
> be done against those in more detail?
>  - already in the draft, maybe more
> 
> --
> Pekka Savola                 "Tell me of difficulties surmounted,
> Netcore Oy                   not those you stumble over and fall"
> Systems. Networks. Security.  -- Robert Jordan: A Crown of Swords

-- 
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Brian E Carpenter 
Distinguished Engineer, Internet Standards & Technology, IBM 
On assignment at the IBM Zurich Laboratory, Switzerland