RE: I-D ACTION:draft-savola-v6ops-6to4-security-01.txt

[Pekka Savola <pekkas@netcore.fi>]

On Thu, 19 Dec 2002, Christian Huitema wrote:
> Remember, the only property of the solution is to make anonymous DOS
> attacks as hard in IPv4+6to4 as it would be in just IPv4. The attacker
> needs to be able to spoof its own source address to send false reports,
> otherwise the reports can be used to trace him.

True.

(However, if the attacker has v6 access which isn't ingress filtered, he 
could send some reports anyway -- but then it would be cheaper for him to 
just launch a direct DoS, not use 6to4 at all.)
 
> > As such this is very much like iTrace, and if implemented, I guess
> this
> > should be just an extension (or simplification) of it, for this
> specific
> > purpose.
> 
> Yes.
> 
> Note that there is a class of attack that is not completely discussed in
> your draft, i.e. what happen if a relay does not implement the checks.
> For example, suppose a relay that simply listens on the anycast address,
> takes packets, and forward them without further checks. Building such
> relays is tempting, as you can cut costs: no need to check the IPv6
> source address, etc. Obviously, that could have some interesting
> consequences.

The non-compliant (or reckless) implementation part was deliberately
excluded (except for a few special cases) from the threat analysis, as
there are way too many things that could go wrong.

Relays (that operate in v6 native -> 6to4 direction) will have to have 
6to4 router code in anyway, though, so I don't think there's a significant 
difference in cost and complexity... but even so, of course, it could be 
done.

I'll consider whether there are some critical checks that relays must do 
(usually ones that are difficult to implement, for one reason or another).

-- 
Pekka Savola                 "Tell me of difficulties surmounted,
Netcore Oy                   not those you stumble over and fall"
Systems. Networks. Security.  -- Robert Jordan: A Crown of Swords