Re: I-D ACTION:draft-savola-v6ops-6to4-security-01.txt

["Fred L. Templin" <ftemplin@IPRG.nokia.com>]

Alain/Christian,

Maybe I missed something, but could it not be the case that the
attacker is randomly varying his source address? In which case,
the log collected at S6 may contain uncorrelated (and
untraceable) S4's?

Fred
ftemplin@iprg.nokia.com

Alain Durand wrote:
> This could be a very good deterent.
>
>    - Alain.
>
>
> Christian Huitema wrote:
>
> > Which is why we need some sort of mitigation. One way to make the attack
> > risky for the attacker is to send back a tracing message, as follow:
> >
> > Upon reception of a 6to4 packet from IPv4 source S4, IPv4 destination
> > D4, IPv6 source S6 and IPv6 destination D6, the 6to4 router performs
> > ingress checks. If S6 is a "native" (non 6to4) IPv6 address, the router
> > checks that D6 is a local destination, i.e. a 6to4 address whose header
> > embeds the destination D4; if that it not the case, it drops the packet.
> > (This is as specified today.) If D4 and D6 have the right value, the
> > 6to4 router picks a random boolean value, true x% of the time; if the
> > value is true, the router formats and send an IPv6 packet, such as:
> >     IPv6 source: the router's 6to4 address;
> >     IPv6 destination: S6
> >     Payload type and format: TBD
> >     Content: includes notation of S4
> > In a situation of attack, these packets can be retrieved by S6 (the
> > attacked party) to identify S4 (the IPv4 attacker.) It does not matter
> > that the attack is spread to a large number of relays: x% of the
> > attacker's packet will provide a sufficient signature, they will all
> > contain the address S4.
> >
> > -- Christian Huitema