[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: I-D ACTION:draft-savola-v6ops-6to4-security-01.txt



Alain/Christian,

Maybe I missed something, but could it not be the case that the
attacker is randomly varying his source address? In which case,
the log collected at S6 may contain uncorrelated (and
untraceable) S4's?

Fred
ftemplin@iprg.nokia.com

Alain Durand wrote:
This could be a very good deterent.

   - Alain.


Christian Huitema wrote:

Which is why we need some sort of mitigation. One way to make the attack
risky for the attacker is to send back a tracing message, as follow:

Upon reception of a 6to4 packet from IPv4 source S4, IPv4 destination
D4, IPv6 source S6 and IPv6 destination D6, the 6to4 router performs
ingress checks. If S6 is a "native" (non 6to4) IPv6 address, the router
checks that D6 is a local destination, i.e. a 6to4 address whose header
embeds the destination D4; if that it not the case, it drops the packet.
(This is as specified today.) If D4 and D6 have the right value, the
6to4 router picks a random boolean value, true x% of the time; if the
value is true, the router formats and send an IPv6 packet, such as:
IPv6 source: the router's 6to4 address;
IPv6 destination: S6
Payload type and format: TBD
Content: includes notation of S4
In a situation of attack, these packets can be retrieved by S6 (the
attacked party) to identify S4 (the IPv4 attacker.) It does not matter
that the attack is spread to a large number of relays: x% of the
attacker's packet will provide a sufficient signature, they will all
contain the address S4.

-- Christian Huitema