[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: I-D ACTION:draft-savola-v6ops-6to4-security-01.txt
Christian Huitema wrote:
With a defense like the one I propose, it becomes about as hard to spoof
a v6 address using 6to4 as it is to spoof a v4 address (or a v6 address)
in the first place, which implies that 6to4 would have a neutral effect
on Internet security.
This is the part I was missing. To paraphrase, without your proposed
mechanism a v6 source address using 6to4 can be spoofed more easily
than a v4 source address since the 6to4 router strips off the v4
source. With your proposed mechanism, a v6 source address using 6to4
can be spoofed IFF the v4 source can be spoofed, i.e., v6 using 6to4
and v4 are equally (in)secure.
I don't have a strong opinion on whether/not this is good enough.
But, I do I see a difference in the two models: in the v4 case, the
v4 destination receives the log of v4 source addresses. In the v6
case (and using your mechanism) the *true* v6 source receives the
log of v4 source addresses.
Thanks,
Fred
ftemplin@iprg.nokia.com