[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

SUMMARY: 6to4 security



Hello,

I was asked to try to summarize the thread a bit.

Most important points, with regard to how to go forward, I think:

 1) it is not yet clear whether the current 6to4 security situation is
acceptable (and with what kind of disclaimers); some of these issues may
only be considered as DoS attacks like any others possible today.

 2) due to that, I'll do a more complete and explicit threat analysis of
6to4 and add it as a section in the draft; this should help in trying to
figure out where we stand and where to go (if necessary).

 3) "using 192.88.99.0/24 as source address" -model does not buy much to 
reliably detect the real relay, so I'll add more disclaimers on that to 
the draft.

 4) I'll also add some text on static vs. BGP configuration of 6to4 
routers, in the 6to4 usage cases (also naturally included in the threat 
analysis above).

 5) I'll add very short piece of text about the "6to4 used for tunnel
end-point addressing only (compare to compatible addresses)" in the usage
cases.

 6) "more specific routes between 6to4 relays" -issue might work (at least
for some cases); the text could be improved a bit, but as other things
(like the security) is still open, I'll keep it as is for now [option two
here would be to remove all but core text and publish it as a separate I-D
-- this is the long-term goal anyway -- comments?].

I'll try to make a new draft available within 1.5 weeks, but we'll see.

-- 
Pekka Savola                 "Tell me of difficulties surmounted,
Netcore Oy                   not those you stumble over and fall"
Systems. Networks. Security.  -- Robert Jordan: A Crown of Swords