[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: I-D ACTION:draft-savola-v6ops-6to4-security-01.txt

To: v6ops@ops.ietf.org
Subject: Re: I-D ACTION:draft-savola-v6ops-6to4-security-01.txt
From: Brian E Carpenter <brian@hursley.ibm.com>
Date: Thu, 09 Jan 2003 17:03:35 +0100
Organization: IBM
References: <DAC3FCB50E31C54987CD10797DA511BA1D2A93@WIN-MSG-10.wingroup.windeploy.ntdev.microsoft.com> <3E00FE9D.5050206@sun.com> <3E0106A9.9050003@iprg.nokia.com> <3E010A7D.40102@sun.com> <3E010DE7.5060805@iprg.nokia.com> <3E010E01.7010906@sun.com>

(catching up on old mail)

It's probably worth saying yet again that without ingress filtering
in place, we are exposed to an infinity of spoofing attacks, and
6to4 spoofing is a drop in the ocean. So two basic assumptions, that
should probably be stated clearly in the draft, are that ISPs run
ingress filtering, and that 6to4 routers and relays are correctly
implemented. Without these conditions, there is no hope anyway.

   Brian

Alain Durand wrote:
> 
> Fred L. Templin wrote:
> 
> >
> > Maybe I'm behind the times here, but when I last looked at DDoS
> > attacks randomly varying the IPv4 source address was an element
> > that made the attacks particularly difficult to trace. At that
> > time, it was not necessarily true that all sites in the global
> > IPv4 Internet properly configured IPv4 ingress filtering. Are
> > you saying this is no longer the case?
> 
> Some ISPs do ingress filtering, some don't.
> The issue here is to make sure 6to4 will not be used
> as a way to bypass ingress filtering when/if in place.
> 
>     - Alain.

Follow-Ups:
- Re: I-D ACTION:draft-savola-v6ops-6to4-security-01.txt
  - From: Pekka Savola <pekkas@netcore.fi>

Prev by Date: RE: isp-cases-02 comments
Next by Date: Re: I-D ACTION:draft-savola-v6ops-6to4-security-01.txt
Previous by thread: RE: ISP Cases Draft: Which sections have too much information?
Next by thread: Re: I-D ACTION:draft-savola-v6ops-6to4-security-01.txt
Index(es):
- Date
- Thread