[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: 6to4 security questions



[I removed the To's and CC's as they are all on the list anyways ;) ]

Alain Durand wrote:
> Erik Nordmark wrote:

> 1- Revisit 6to4 architecture to have bi-directional communication
>     between the 6to4 router and the 6to4 relay. That way the
decapsulating
>     6to4 router could apply some checks and make sure packetsare
comming
>     from a legitimate 6to4 relay.
> 
> 2- Declare the problem  unsolvable and try to mitigate the effect,
>     investigate iTrace solutions to enable tracing back the source of 
> DDOS attack.
> 
> 3- The main security concern is that the open relay 
> architecture enables 
> an attacker to defeat IPv4 ingress filtering (if in place) to do 
> perform DDOS on a IPv6 host.
>     There are already many other ways to create DDOS, so we 
> should not worry to much.

Currently in europe, at least, there are only a few 6to4 relays:
 - Switch
 - Cybernet
 - Funet

More at http://www.kfu.com/~nsayer/6to4/ (which bans IE browsers)
Of the above Switch attracts the most traffic.

Limiting the 6to4 relay to a certain scope using the 6to4 anycast.
Allows one to at least limit ddos attacks also to that scope.
Which could be only a couple of neighboring AS's. This will also
solve the problem of the "I route via switzerland" problem even
though one is in The Netherlands for example.

Afaik FUNET only announces it's relay to a couple of AS's and this
seems to work quite well. Ofcourse to be completely certain of this
you should query them if they had any problems.

IPng (www.ipng.nl) had a 6to4 relay for some time but we closed it
due to the many abuses it came along with it. Requiring users to at
least sign up to the service does impose a small step but apparently
seeing the numbers of configured tunnels provided by the many tunnel
broker services it apparently isn't a very big limitation for most
people.

Personally I don't like 6to4 because the routing in the 6to4 world is
far from perfect, or acceptable for most people.
Configured tunnels are clearer, easier to troubleshout and to trace
abuse from/to. Good thing ofcourse is that it helps out people wanting 
to do IPv6 to transition very quickly. Even though I would recommend
those people to get a configured tunnel from their closed upstream and
transition to native IPv6 where possible ofcourse.

Greets,
 Jeroen