RE: I-D ACTION:draft-savola-v6ops-6to4-security-01.txt

["Christian Huitema" <huitema@windows.microsoft.com>]

> Pasts sins should not be an excuse to repeat them in the future.

The past is actually the present. Moving from present to future should
also be considered important.

> I think we can all agree that the current failure of deployment of
> (IPv4) source address spoofing prevention measures at the edge is one
> of the important components in the operational mess we are in at the
> present where it is for all practical purposes impossible to track
> down and weed out DDoS attack agents, and we should not be promoting
> protocols which embeds the current situation in concrete, and label is
> at "good enough".

It is not at all obvious that ingress filtering would prevent the worse
DDOS attacks, which are virus based.

In any case, I am just proposing that we grade the attacks in three
buckets: those that are no worse than the current mess, those that are
worse than a clean IPv4 network, and those that are worse than a clean
IPv6-only network. 

> > At least during the transition phase, most IPv6 hosts will be
> > dual-homed, which means they will benefit from IPv4 qualities
> > anyhow.
> 
> I think you mean "dual-stack"?  I think the same comment as above
> applies here as well.

There is a question of time. As long as most services have to be
provided in both IPv4 & IPv6, then the fact of life is that they can be
subject to DDOS over either IPv4 or IPv6. The next question is, can we
get a clean picture by the time it makes sense to have IPv6 only
networking.

-- Christian Huitema