[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: 6to4 security questions



On Wed, 20 Nov 2002, Brian E Carpenter wrote:
> My fundamental question since the 6to4 spoofing issue was first 
> raised is whether this exposure to spoofing is a *significant*
> addition to the generic exposure. If you were a spoofer, would
> you really bother spoofing 6to4 rather than just plain spoofing? So
> my feeling is that we really need more general work on anti-v6-spoofing, 
> with this viewed as once case among many. 

That depends on how you expect the spoofing protection to be implemented.

If we assume that v6 deployments have learned since v4 deployments, and 
are now also using ingress filtering -- v6 spoofing could be more 
difficult than v4.

But then again, v6 spoofing could be equally easy (or even easier, due to 
"experimental" nature).

Note that even if both v4 and v6 ingress filtering is deployed, this
attack is still usable (it's unlikely that the encapsulating source v4
address will be logged, and even if it were, it's probably just some
compromised box sitting behind some poor fools DSL line).

> Pekka Savola wrote:
> > 
> > Hello,
> > 
> > The most important part (how to go forward) got cut-off at the meeting, so
> > I'm hoping to be able to hear some thoughts on the 6to4 security issues.
> > 
> > * The most important thing:
> >  ==> document the existing problems and declare done or try to invent
> > bigger fixes for the problems?
> > 
> > * Draft has two parts
> >  - relay spoofing troubles
> >  - 6to4 usage analysis, guidelines for sec considerations
> > implementation etc.
> >  ==> keep these separate or not? (the second are IMO ready)
> > 
> > * Is the relay problem (spoofing from 2001::/16) something we need to
> > worry about?
> >  - after all, you probably can spoof the source addresses without 6to4
> > too..
> >  ==> if yes, how much effort should we put into it?
> > 
> > * Should we analyze the DoS attacks (abusing relays) whether anything can
> > be done against those in more detail?
> >  - already in the draft, maybe more
> > 
> > --
> > Pekka Savola                 "Tell me of difficulties surmounted,
> > Netcore Oy                   not those you stumble over and fall"
> > Systems. Networks. Security.  -- Robert Jordan: A Crown of Swords
> 
> 

-- 
Pekka Savola                 "Tell me of difficulties surmounted,
Netcore Oy                   not those you stumble over and fall"
Systems. Networks. Security.  -- Robert Jordan: A Crown of Swords