[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: I-D ACTION:draft-savola-v6ops-6to4-security-01.txt




Pekka Savola wrote:

Maybe I was not very clear, I meant a single zombie
pretending to be a relay and sending a single packet
to a very large number of 6to4 hosts with IPv6 src
set to the victim machine.


Right, I misunderstood a part of your cases.

However, I believe this becomes a real pain in the case that there are
enough relays (in the degree of hundreds or thousands) so rate-limiting or
statistical analysis on _relays_ is not really possible; obviously 6to4
nodes/routers can't do much there -- but that's little different to
someone today sending a TCP SYN to Joe Random with forged source address.

The difference is mainly in that the attack is doable even if you're ipv4
ingress filtered as trace about real IPv4 address used in the attack is
lost at 6to4 routers.

This is exactly the point I've been trying to make.
In this scenario, the 6to4 technology enables one
to set up an attack that was supposed to be prevented
by ingress filtering. And again, there is no way to prevent
it from hapening.

   - Alain.