[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: I-D ACTION:draft-savola-v6ops-6to4-security-01.txt

To: Brian E Carpenter <brian@hursley.ibm.com>
Subject: Re: I-D ACTION:draft-savola-v6ops-6to4-security-01.txt
From: Pekka Savola <pekkas@netcore.fi>
Date: Thu, 9 Jan 2003 22:04:38 +0200 (EET)
Cc: v6ops@ops.ietf.org
In-reply-to: <3E1D9D57.9D93BC24@hursley.ibm.com>

On Thu, 9 Jan 2003, Brian E Carpenter wrote:
> It's probably worth saying yet again that without ingress filtering
> in place, we are exposed to an infinity of spoofing attacks, and
> 6to4 spoofing is a drop in the ocean. So two basic assumptions, that
> should probably be stated clearly in the draft, are that ISPs run
> ingress filtering, and that 6to4 routers and relays are correctly
> implemented. Without these conditions, there is no hope anyway.

Well, yes -- it should be made more clear.

But also, no -- 6to4 and similar mechanisms could also be nice tools to
distract spoofed attacks, even if there wasn't ingress filtering used at 
all.  That is, because tracing spoofed DoS attacks currently involves 
basically tracing back packets hop-by-hop.  At some point, it usually gets 
impossible to do.  If you are nextdoor neighbors topology-wise, 6to4 or 
similar mechanisms could be used to launder this traffic so it would 
appear to come from somewhere else.

Obviously, the second point would be moot if iTrace - like mechanisms 
would be generally deployed.

And perhaps, the second kind of attacks are a bit on the theoretical side
anyway -- unless the first kind is proven unsuccessful enough, most
attackers don't really want to bother figuring out how they could use 6to4
etc. as an extra indirection layer.

I don't think it's realistic to assume the world, either v4 or v6 will run
ingress filtering to a significant enough level -- so that we wouldn't
have to worry about spoofing.  Instead, using tracing mechanisms we could
1) make internet a much better place, and 2) find those folks who don't
obviously do ingress filtering and start bugging them _directly_ (think of
the lists of known "directed-broadcast reflectors" some years ago) to
install them.

> Alain Durand wrote:
> > 
> > Fred L. Templin wrote:
> > 
> > >
> > > Maybe I'm behind the times here, but when I last looked at DDoS
> > > attacks randomly varying the IPv4 source address was an element
> > > that made the attacks particularly difficult to trace. At that
> > > time, it was not necessarily true that all sites in the global
> > > IPv4 Internet properly configured IPv4 ingress filtering. Are
> > > you saying this is no longer the case?
> > 
> > Some ISPs do ingress filtering, some don't.
> > The issue here is to make sure 6to4 will not be used
> > as a way to bypass ingress filtering when/if in place.
> > 
> >     - Alain.
> 

-- 
Pekka Savola                 "You each name yourselves king, yet the
Netcore Oy                    kingdom bleeds."
Systems. Networks. Security. -- George R.R. Martin: A Clash of Kings

References:
- Re: I-D ACTION:draft-savola-v6ops-6to4-security-01.txt
  - From: Brian E Carpenter <brian@hursley.ibm.com>

Prev by Date: Re: I-D ACTION:draft-savola-v6ops-6to4-security-01.txt
Next by Date: I-D ACTION:draft-ietf-v6ops-ipv4survey-00.txt
Previous by thread: Re: I-D ACTION:draft-savola-v6ops-6to4-security-01.txt
Next by thread: RE: I-D ACTION:draft-savola-v6ops-6to4-security-01.txt
Index(es):
- Date
- Thread