[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: I-D ACTION:draft-savola-v6ops-6to4-security-01.txt

To: Pekka Savola <pekkas@netcore.fi>
Subject: Re: I-D ACTION:draft-savola-v6ops-6to4-security-01.txt
From: Alain Durand <Alain.Durand@Sun.COM>
Date: Wed, 18 Dec 2002 14:42:10 -0800
Cc: v6ops@ops.ietf.org
References: <Pine.LNX.4.44.0212182351050.22197-100000@netcore.fi>
User-agent: Mozilla/5.0 (X11; U; SunOS sun4u; en-US; rv:1.0.1) Gecko/20020920Netscape/7.0


Pekka Savola wrote:

Maybe I was not very clear, I meant a single zombie
pretending to be a relay and sending a single packet
to a very large number of 6to4 hosts with IPv6 src
set to the victim machine.

Right, I misunderstood a part of your cases.

However, I believe this becomes a real pain in the case that there are
enough relays (in the degree of hundreds or thousands) so rate-limiting or
statistical analysis on _relays_ is not really possible; obviously 6to4
nodes/routers can't do much there -- but that's little different to
someone today sending a TCP SYN to Joe Random with forged source address.

The difference is mainly in that the attack is doable even if you're ipv4
ingress filtered as trace about real IPv4 address used in the attack is
lost at 6to4 routers.

This is exactly the point I've been trying to make.
In this scenario, the 6to4 technology enables one
to set up an attack that was supposed to be prevented
by ingress filtering. And again, there is no way to prevent
it from hapening.

   - Alain.

References:
- Re: I-D ACTION:draft-savola-v6ops-6to4-security-01.txt
  - From: Pekka Savola <pekkas@netcore.fi>

Prev by Date: RE: FW: 3gpp scenario 2
Next by Date: RE: FW: 3gpp scenario 2
Previous by thread: Re: I-D ACTION:draft-savola-v6ops-6to4-security-01.txt
Next by thread: Re: I-D ACTION:draft-savola-v6ops-6to4-security-01.txt
Index(es):
- Date
- Thread