[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: I-D ACTION:draft-savola-v6ops-6to4-security-01.txt
> Pasts sins should not be an excuse to repeat them in the future.
The past is actually the present. Moving from present to future should
also be considered important.
> I think we can all agree that the current failure of deployment of
> (IPv4) source address spoofing prevention measures at the edge is one
> of the important components in the operational mess we are in at the
> present where it is for all practical purposes impossible to track
> down and weed out DDoS attack agents, and we should not be promoting
> protocols which embeds the current situation in concrete, and label is
> at "good enough".
It is not at all obvious that ingress filtering would prevent the worse
DDOS attacks, which are virus based.
In any case, I am just proposing that we grade the attacks in three
buckets: those that are no worse than the current mess, those that are
worse than a clean IPv4 network, and those that are worse than a clean
IPv6-only network.
> > At least during the transition phase, most IPv6 hosts will be
> > dual-homed, which means they will benefit from IPv4 qualities
> > anyhow.
>
> I think you mean "dual-stack"? I think the same comment as above
> applies here as well.
There is a question of time. As long as most services have to be
provided in both IPv4 & IPv6, then the fact of life is that they can be
subject to DDOS over either IPv4 or IPv6. The next question is, can we
get a clean picture by the time it makes sense to have IPv6 only
networking.
-- Christian Huitema