[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: I-D ACTION:draft-savola-v6ops-6to4-security-01.txt

To: Christian Huitema <huitema@windows.microsoft.com>
Subject: RE: I-D ACTION:draft-savola-v6ops-6to4-security-01.txt
From: Erik Nordmark <Erik.Nordmark@sun.com>
Date: Mon, 20 Jan 2003 01:49:36 +0100 (CET)
Cc: "Fred L. Templin" <ftemplin@IPRG.nokia.com>, Alain Durand <Alain.Durand@sun.com>, Pekka Savola <pekkas@netcore.fi>, v6ops@ops.ietf.org
In-reply-to: "Your message with ID" <DAC3FCB50E31C54987CD10797DA511BA1D2A94@WIN-MSG-10.wingroup.windeploy.ntdev.microsoft.com>
Reply-to: Erik Nordmark <Erik.Nordmark@sun.com>

> With a defense like the one I propose, it becomes about as hard to spoof
> a v6 address using 6to4 as it is to spoof a v4 address (or a v6 address)
> in the first place, which implies that 6to4 would have a neutral effect
> on Internet security.

Not quite. You are proposing an ITRACE-like detection mechanism whereas
ingress filtering is a prevention mechanism. 
Thus once somebody is attacked they could scramble around looking for
the detector that has hopefully logged your ITRACE-like packets (assuming
those packets weren't filtered out by an over-zealous firewall).

One note on the proposed ITRACE-like mechanism.
What you specify is known as reverse-itrace.
It also makes sense to do forward itrace where the reports are sent
to the IPv6 DST (telling it the relationship between S4 and S6).
That way in case the attack doesn't use reflection but is just e.g.
a good old SYN attack, the victim sees the reports.

I wonder if the packet formats in draft-ietf-itrace-03.txt can
carry IPv6 addresses and be extended to carry S4.

  Erik

Prev by Date: Re: application proxy
Next by Date: Re: new 6to4 security draft
Previous by thread: Re: I-D ACTION:draft-savola-v6ops-6to4-security-01.txt
Next by thread: I-D ACTION:draft-ietf-v6ops-ipv4survey-00.txt
Index(es):
- Date
- Thread