[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: Residual threats in draft-savola-v6ops-6to4-security-02.txt?

To: "Brian E Carpenter" <brc@zurich.ibm.com>,<v6ops@ops.ietf.org>
Subject: RE: Residual threats in draft-savola-v6ops-6to4-security-02.txt?
From: "Christian Huitema" <huitema@windows.microsoft.com>
Date: Wed, 6 Aug 2003 11:03:42 -0700

> So I think documenting the methods of mitigation is the only option
> in practice. Of course, if someone comes up with another low-configuration
> solution for hopping over uncooperative ISPs, that's fine too. That's
> where the recent conversation about tunnel brokers came from.

The recent discussion showed some new concerns, and also some possible solutions. Itojun raised an important point: if your relay is used as part of a DoS attack from IPv6 to an unsuspecting IPv4 node, then all packets will appear to come from the relay's IPv4 address. Pekka proposed a simple fix: just source the packets from 196.88.99.1, so they won't be traceable to the ISP, and the ISP won't be easily sued. That's a bit of a cope-out, though, and removing traceability is not necessarily very good. If we are concerned with DoS attacks, the proper solution is probably some form of rate-limiting, e.g. applying a fair queuing algorithm based on the destination address.
 
-- Christian Huitema

Follow-Ups:
- Re: Residual threats in draft-savola-v6ops-6to4-security-02.txt?
  - From: Brian E Carpenter <brc@zurich.ibm.com>

Prev by Date: Re: Residual threats in draft-savola-v6ops-6to4-security-02.txt?
Next by Date: Re: Residual threats in draft-savola-v6ops-6to4-security-02.txt?
Previous by thread: Re: Residual threats in draft-savola-v6ops-6to4-security-02.txt?
Next by thread: Re: Residual threats in draft-savola-v6ops-6to4-security-02.txt?
Index(es):
- Date
- Thread