RE: I-D ACTION:draft-savola-v6ops-6to4-security-01.txt

["Christian Huitema" <huitema@windows.microsoft.com>]

> The proposed solution (which seems like a nice idea to me) is that the
> _attacked node_ (ipv6 source address in the spoofed packets) receives
> these reports -- seems the same as the case in v4 (with the exception
that
> reports are received from the internet, not from received packets
> themselves).
> 
> But this is by no means simple as that; you have to consider things
like
> the attacker sending false reports to the target directly to "water
down"
> the report results.

Remember, the only property of the solution is to make anonymous DOS
attacks as hard in IPv4+6to4 as it would be in just IPv4. The attacker
needs to be able to spoof its own source address to send false reports,
otherwise the reports can be used to trace him.

> As such this is very much like iTrace, and if implemented, I guess
this
> should be just an extension (or simplification) of it, for this
specific
> purpose.

Yes.

Note that there is a class of attack that is not completely discussed in
your draft, i.e. what happen if a relay does not implement the checks.
For example, suppose a relay that simply listens on the anycast address,
takes packets, and forward them without further checks. Building such
relays is tempting, as you can cut costs: no need to check the IPv6
source address, etc. Obviously, that could have some interesting
consequences.

-- Christian Huitema