[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: Opportunistic Tunneling

To: "Jun-ichiro itojun Hagino" <itojun@itojun.org>, <pekkas@netcore.fi>
Subject: RE: Opportunistic Tunneling
From: "Christian Huitema" <huitema@windows.microsoft.com>
Date: Wed, 25 Feb 2004 18:10:14 -0800
Cc: <Erik.Nordmark@sun.com>, <v6ops@ops.ietf.org>

> >  2) 6to4 and Teredo (to a lesser degree AFAIK) are pretty anonymous
> > services.  When someone abuses using those addresses, there is no
ISP
> > "hosting" the service which would get abuse etc. reports, get
> > blacklisted if someone behaves badly, etc. -- on the other hand, if
> > the ISP offers the service to outsiders using its RIR address space,
> > this will certainly lead to all kinds of nasty administrative
> > actions.. sooner or later raising the question, "why are we even
> > providing this kind of service to outsiders for free, if we get
> > nothing but trouble!?!"
> 
> 	as mentioned in (already expired) transition-abuse draft, 6to4
relay
> 	routers (provided by ISPs) will get abused by malicious parties,
and
> 	ISPs get blamed for the traffic being generated by the abuse.  i
> 	strongly disagree with the above statement.

Please note that this is mostly a 6to4 issue. Teredo requires a
three-ways handshake before sending data through a relay, which makes
attacks much harder.

For 6to4, Pekka has proposed a solution: that relay routers source
packets from the reserved address 192.88.99.1. This solution certainly
solves the "ISP get blamed" part, since the 6to4 packets will not
identify a specific relay. 

The solution also has the potential of solving the abuse scenario in
which a 3rd party obtains the IPv4 address of a relay and uses it to
send traffic: since the relays are only listening to the anycast
address, they can only receive traffic from networks to which they
advertise the anycast address.

We would also achieve some protection against spoofing if we requested
that 6to4 routers only accept "native IPv6 packets" from the anycast
relay. Hackers will have to be able to spoof IPv4 in order to spoof
IPv6. (Another way to solve this issue is to require a 3-ways handshake
similar to Teredo; we could require it if the packet comes from another
address.)

In any case, we should all be aware that hackers do not need to be able
to spoof addresses in order to mount a DDOS attack. The recent attacks
mounted by the MYDOOM worm consisted of establishing TCP connections to
a target site, and loading a page from the site. No spoofing, just very
many connections from very many zombies. 

-- Christian Huitema

Prev by Date: Re: Opportunistic Tunneling
Next by Date: Re: Opportunistic Tunneling
Previous by thread: RE: Opportunistic Tunneling
Next by thread: v6ops draft agenda for Seoul
Index(es):
- Date
- Thread