[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: I-D ACTION:draft-savola-v6ops-6to4-security-01.txt

To: v6ops@ops.ietf.org
Subject: Re: I-D ACTION:draft-savola-v6ops-6to4-security-01.txt
From: Alain Durand <Alain.Durand@Sun.COM>
Date: Wed, 11 Dec 2002 09:48:57 -0800
References: <200212091301.IAA06853@ietf.org> <3DF714DB.19B74094@hursley.ibm.com>
User-agent: Mozilla/5.0 (X11; U; SunOS sun4u; en-US; rv:1.0.1) Gecko/20020920Netscape/7.0

Pekka,

There are some aspects you somehow overlooked in your draft.

1. This attack by spoofing relay can be distributed to
   a huge number of reflectors (just have to find their address
   in the DNS). This changes  quiet a lot of things, and
   makes tracing the attack and stopping it very difficult.
   For example, it is not clear how statistical analysis
   done on packet sampling will work.

2. If outgoing 6to4 relays get widely deployed and the attack
   uses a very large number of reflectors with just one zombie,
   it is not clear that the relays will act as a contention point...

3. ...but if they do, the attack is transformed from a DDOS attack
   on the fake IPv6 src to a DDOS attack on the relays!

   - Alain.

Follow-Ups:
- Re: I-D ACTION:draft-savola-v6ops-6to4-security-01.txt
  - From: Pekka Savola <pekkas@netcore.fi>

References:
- I-D ACTION:draft-savola-v6ops-6to4-security-01.txt
  - From: Internet-Drafts@ietf.org
- Re: I-D ACTION:draft-savola-v6ops-6to4-security-01.txt
  - From: Brian E Carpenter <brian@hursley.ibm.com>

Prev by Date: I-D ACTION:draft-ietf-v6ops-3gpp-analysis-00.txt
Next by Date: comments : draft-ietf-v6ops-3gpp-analysis-00.txt
Previous by thread: Re: I-D ACTION:draft-savola-v6ops-6to4-security-01.txt
Next by thread: Re: I-D ACTION:draft-savola-v6ops-6to4-security-01.txt
Index(es):
- Date
- Thread