[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: I-D ACTION:draft-savola-v6ops-6to4-security-01.txt



Pekka,

There are some aspects you somehow overlooked in your draft.

1. This attack by spoofing relay can be distributed to
   a huge number of reflectors (just have to find their address
   in the DNS). This changes  quiet a lot of things, and
   makes tracing the attack and stopping it very difficult.
   For example, it is not clear how statistical analysis
   done on packet sampling will work.

2. If outgoing 6to4 relays get widely deployed and the attack
   uses a very large number of reflectors with just one zombie,
   it is not clear that the relays will act as a contention point...

3. ...but if they do, the attack is transformed from a DDOS attack
   on the fake IPv6 src to a DDOS attack on the relays!

   - Alain.