[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: I-D ACTION:draft-savola-v6ops-6to4-security-01.txt
This could be a very good deterent.
- Alain.
Christian Huitema wrote:
Which is why we need some sort of mitigation. One way to make the attack
risky for the attacker is to send back a tracing message, as follow:
Upon reception of a 6to4 packet from IPv4 source S4, IPv4 destination
D4, IPv6 source S6 and IPv6 destination D6, the 6to4 router performs
ingress checks. If S6 is a "native" (non 6to4) IPv6 address, the router
checks that D6 is a local destination, i.e. a 6to4 address whose header
embeds the destination D4; if that it not the case, it drops the packet.
(This is as specified today.) If D4 and D6 have the right value, the
6to4 router picks a random boolean value, true x% of the time; if the
value is true, the router formats and send an IPv6 packet, such as:
IPv6 source: the router's 6to4 address;
IPv6 destination: S6
Payload type and format: TBD
Content: includes notation of S4
In a situation of attack, these packets can be retrieved by S6 (the
attacked party) to identify S4 (the IPv4 attacker.) It does not matter
that the attack is spread to a large number of relays: x% of the
attacker's packet will provide a sufficient signature, they will all
contain the address S4.
-- Christian Huitema