Re: I-D ACTION:draft-savola-v6ops-6to4-security-01.txt

[Alain Durand <Alain.Durand@Sun.COM>]

This could be a very good deterent.

   - Alain.


Christian Huitema wrote:

> Which is why we need some sort of mitigation. One way to make the attack
> risky for the attacker is to send back a tracing message, as follow:
>
> Upon reception of a 6to4 packet from IPv4 source S4, IPv4 destination
> D4, IPv6 source S6 and IPv6 destination D6, the 6to4 router performs
> ingress checks. If S6 is a "native" (non 6to4) IPv6 address, the router
> checks that D6 is a local destination, i.e. a 6to4 address whose header
> embeds the destination D4; if that it not the case, it drops the packet.
> (This is as specified today.) If D4 and D6 have the right value, the
> 6to4 router picks a random boolean value, true x% of the time; if the
> value is true, the router formats and send an IPv6 packet, such as:
> 	IPv6 source: the router's 6to4 address;
> 	IPv6 destination: S6
> 	Payload type and format: TBD
> 	Content: includes notation of S4
> In a situation of attack, these packets can be retrieved by S6 (the
> attacked party) to identify S4 (the IPv4 attacker.) It does not matter
> that the attack is spread to a large number of relays: x% of the
> attacker's packet will provide a sufficient signature, they will all
> contain the address S4.
>
> -- Christian Huitema
>