[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: ISATAP, v6inv4 and 6to4 tunnel interworkings [RE: ISATAP vs a lter natives in 3GPP [Re: comments on draft-ietf-v6 ops-3gpp-analysis-0 9 .txt] ]

To: Fred Templin <ftemplin@iprg.nokia.com>
Subject: Re: ISATAP, v6inv4 and 6to4 tunnel interworkings [RE: ISATAP vs a lter natives in 3GPP [Re: comments on draft-ietf-v6 ops-3gpp-analysis-0 9 .txt] ]
From: Pekka Savola <pekkas@netcore.fi>
Date: Fri, 2 Apr 2004 09:58:49 +0300 (EEST)
Cc: IPv6 Operations <v6ops@ops.ietf.org>
In-reply-to: <406C78AA.3010104@iprg.nokia.com>

On Thu, 1 Apr 2004, Fred Templin wrote:
> >The check only protects from someone spoofing their v4 address.  If 
> >the use of link-locals by strangers (remember that these have TTL=255 
> >and are allowed to do anything Neighbor Discovery -wise) is 
> >categorically thought to be harmful (I certainly think so), this 
> >doesn't really help.
> 
> Right, but this is an issue for the upper layers (e.g., ND handling code).

I have to disagree with that.  ND operates with very specific security
assumptions (TTL=255, link-local messages is considered "reasonably
safe").  Those assumptions are valid for typical links (physical,
local point-to-point tunnels, etc.).

Making it possible to send TTL=255 + LL packets from everywhere in the 
Internet breaks this assumption.

So, my argument is that while that assumption has not been
sufficiently well spelled out, you must avoid breaking that assumption
rather than say, "whoops -- we broke the assumption.  Well, figure out
a new means to secure ND, deploy it everywhere where this mechanism is 
deployable -- and make sure it interoperates with current ND 
specifications."

> >Of course, but as LL's are treated specially e.g. by ND code, this 
> >makes the ISATAP decapsulation non-equivalent to 6to4 decapsulation.
>
> I'm not sure what you mean by this; ND handling code comes *after*
> decapsulation; not during - correct? The only mitigations specified
> by 6to4 for decapsulation are found in the second paragraph of
> ([RFC3056], section 10) and these are optional.
> 
> The final sentence of that paragraph says: "2002:: traffic must also
> be excepted from checks applied to prevent spoofing of "6 over 4"
> traffic [6OVER4]." Perhaps a similar sentence with
> s/6over4/ISATAP is needed somewhere?

Link-locals can be discarded by the 6to4 pseudo-interface, as they are
not used for anything.  The spec does not say anything about that.  
(Obviously, discarding is not possible with ISATAP so they aren't
equivalent in that regard.)  draft-ietf-v6ops-6to4-security-02.txt
does mention this though, under "Attacks with ND Messages".

-- 
Pekka Savola                 "You each name yourselves king, yet the
Netcore Oy                    kingdom bleeds."
Systems. Networks. Security. -- George R.R. Martin: A Clash of Kings

Follow-Ups:
- Re: ISATAP, v6inv4 and 6to4 tunnel interworkings [RE: ISATAP vs a lter natives in 3GPP [Re: comments on draft-ietf-v6 ops-3gpp-analysis-0 9 .txt] ]
  - From: Fred Templin <ftemplin@iprg.nokia.com>

References:
- Re: ISATAP, v6inv4 and 6to4 tunnel interworkings [RE: ISATAP vs a lter natives in 3GPP [Re: comments on draft-ietf-v6 ops-3gpp-analysis-0 9 .txt] ]
  - From: Fred Templin <ftemplin@iprg.nokia.com>

Prev by Date: Re: ISATAP, v6inv4 and 6to4 tunnel interworkings [RE: ISATAP vs a lter natives in 3GPP [Re: comments on draft-ietf-v6 ops-3gpp-analysis-0 9 .txt] ]
Next by Date: Re: [tcpm] TCP, multiple addresses and soft errors when connecting
Previous by thread: Re: ISATAP, v6inv4 and 6to4 tunnel interworkings [RE: ISATAP vs a lter natives in 3GPP [Re: comments on draft-ietf-v6 ops-3gpp-analysis-0 9 .txt] ]
Next by thread: Re: ISATAP, v6inv4 and 6to4 tunnel interworkings [RE: ISATAP vs a lter natives in 3GPP [Re: comments on draft-ietf-v6 ops-3gpp-analysis-0 9 .txt] ]
Index(es):
- Date
- Thread