[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Residual threats in draft-savola-v6ops-6to4-security-02.txt?
Sure. I'd be happy to see this covered in the final version of Pekka's
document.
Brian
Christian Huitema wrote:
>
> > So I think documenting the methods of mitigation is the only option
> > in practice. Of course, if someone comes up with another low-configuration
> > solution for hopping over uncooperative ISPs, that's fine too. That's
> > where the recent conversation about tunnel brokers came from.
>
> The recent discussion showed some new concerns, and also some possible solutions. Itojun raised an important point: if your relay is used as part of a DoS attack from IPv6 to an unsuspecting IPv4 node, then all packets will appear to come from the relay's IPv4 address. Pekka proposed a simple fix: just source the packets from 196.88.99.1, so they won't be traceable to the ISP, and the ISP won't be easily sued. That's a bit of a cope-out, though, and removing traceability is not necessarily very good. If we are concerned with DoS attacks, the proper solution is probably some form of rate-limiting, e.g. applying a fair queuing algorithm based on the destination address.
>
> -- Christian Huitema
--
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Brian E Carpenter
Distinguished Engineer, Internet Standards & Technology, IBM
NEW ADDRESS <brc@zurich.ibm.com> PLEASE UPDATE ADDRESS BOOK