[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: 6to4 security questions
On Wed, 20 Nov 2002, Francis Dupont wrote:
> There are in my opinion 4 ways forward:
>
> 1- Revisit 6to4 architecture to have bi-directional communication
> between the 6to4 router and the 6to4 relay. That way the decapsulating
> 6to4 router could apply some checks and make sure packets are comming
> from a legitimate 6to4 relay.
>
> => this is the solution for the home address option similar issue
> (the option is checked against the binding cache, i.e., is validated
> only when two-way communication is used).
The amount of harm one can do is similar, but the model seems otherwise a
bit different.
Mobile nodes _were able to_ (speaking about the old spec where unverified
HAO was still ok) communicate without HAO's. Your regular honest 6to4
node can't as it's its only address; they have no care-of addresses for
bootstrapping, regular/no-frills operation, etc.
--
Pekka Savola "Tell me of difficulties surmounted,
Netcore Oy not those you stumble over and fall"
Systems. Networks. Security. -- Robert Jordan: A Crown of Swords