[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: 6to4 security questions



Erik Nordmark wrote:

Instead it makes sense trying to find sound operational practises that can
be applied while allowing nodes/sites using 6to4 to communicate with
nodes/sites that do not use 6to4 without severe security issues.

Give the current open, asymetrical, relay architecture of 6to4, this is not possible.

The core of the problem is that when decapsulating packets, 6to4 routers
have currently no way to know if packets are comming from a legitimate relay or not.
Any IPv4 host can impersonate a 6to4 relay and send a packet to a candid
6to4 host with IPv6 src the address of an IPv6 victim.
The associated 6to4 router will decapsulate (no way to apply any check),
pass it to the candid host that will reply to the IPv6 src, that is, the victim.
Multiply this by thousands of candid hosts and you have a very nice
anonymized distributed denial of service attack on the IPv6 victim.
This is nothing new and was presented at London IETF.

There are in my opinion 4 ways forward:

1- Revisit 6to4 architecture to have bi-directional communication
between the 6to4 router and the 6to4 relay. That way the decapsulating
6to4 router could apply some checks and make sure packets are comming
from a legitimate 6to4 relay.

2- Declare the problem unsolvable and try to mitigate the effect,
investigate iTrace solutions to enable tracing back the source of DDOS attack.

3- The main security concern is that the open relay architecture enables an attacker
to defeat IPv4 ingress filtering (if in place) to do perform DDOS on a IPv6 host.
There are already many other ways to create DDOS, so we should not worry to much.

4- Declare the problem unsolvable and serious. This means deprecating 6to4.


IMHO, 1) is a major undertaking, 2) is scarry at least, 3) is irresponsible and
4) has tremendous consequences.

- Alain.