[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: I-D ACTION:draft-savola-v6ops-6to4-security-01.txt
Pekka,
There are some aspects you somehow overlooked in your draft.
1. This attack by spoofing relay can be distributed to
a huge number of reflectors (just have to find their address
in the DNS). This changes quiet a lot of things, and
makes tracing the attack and stopping it very difficult.
For example, it is not clear how statistical analysis
done on packet sampling will work.
2. If outgoing 6to4 relays get widely deployed and the attack
uses a very large number of reflectors with just one zombie,
it is not clear that the relays will act as a contention point...
3. ...but if they do, the attack is transformed from a DDOS attack
on the fake IPv6 src to a DDOS attack on the relays!
- Alain.