RE: I-D ACTION:draft-savola-v6ops-6to4-security-01.txt

["Christian Huitema" <huitema@windows.microsoft.com>]

> However, I believe this becomes a real pain in the case that there are
> enough relays (in the degree of hundreds or thousands) so
rate-limiting or
> statistical analysis on _relays_ is not really possible; obviously
6to4
> nodes/routers can't do much there -- but that's little different to
> someone today sending a TCP SYN to Joe Random with forged source
address.
> 
> The difference is mainly in that the attack is doable even if you're
ipv4
> ingress filtered as trace about real IPv4 address used in the attack
is
> lost at 6to4 routers.

Which is why we need some sort of mitigation. One way to make the attack
risky for the attacker is to send back a tracing message, as follow:

Upon reception of a 6to4 packet from IPv4 source S4, IPv4 destination
D4, IPv6 source S6 and IPv6 destination D6, the 6to4 router performs
ingress checks. If S6 is a "native" (non 6to4) IPv6 address, the router
checks that D6 is a local destination, i.e. a 6to4 address whose header
embeds the destination D4; if that it not the case, it drops the packet.
(This is as specified today.) If D4 and D6 have the right value, the
6to4 router picks a random boolean value, true x% of the time; if the
value is true, the router formats and send an IPv6 packet, such as:
	IPv6 source: the router's 6to4 address;
	IPv6 destination: S6
	Payload type and format: TBD
	Content: includes notation of S4
In a situation of attack, these packets can be retrieved by S6 (the
attacked party) to identify S4 (the IPv4 attacker.) It does not matter
that the attack is spread to a large number of relays: x% of the
attacker's packet will provide a sufficient signature, they will all
contain the address S4.

-- Christian Huitema