[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Routing loop attacks using IPv6 tunnels

To: "Templin, Fred L" <Fred.L.Templin@boeing.com>
Subject: Re: Routing loop attacks using IPv6 tunnels
From: Brian E Carpenter <brian.e.carpenter@gmail.com>
Date: Tue, 15 Sep 2009 16:02:53 +1200
Cc: v6ops <v6ops@ops.ietf.org>, Christian Huitema <huitema@microsoft.com>, ipv6@ietf.org, secdir@ietf.org
Domainkey-signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:organization:user-agent:mime-version:to:cc :subject:references:in-reply-to:content-type :content-transfer-encoding; b=Mk6NKlKC3D6UHhzJ0v24qBHA/t+NKbxm14rmF7nEOH/xrcEPZQo74O6HkvfNKx5CQj GWEbjNtF9s1dyMYrD+XsCjl55ayP5NylA0nwrPGqCaLvNScF01GY4m1Jjw5Jw6iS7BJC i9mHTMdEhIMlBrY3gVFwXOTyfyIOlSajqs5uE=
In-reply-to: <39C363776A4E8C4A94691D2BD9D1C9A10665C90F@XCH-NW-7V2.nw.nos.boeing.com>
Organization: University of Auckland
References: <31484.26522.qm@web45503.mail.sp1.yahoo.com> <39C363776A4E8C4A94691D2BD9D1C9A106555B38@XCH-NW-7V2.nw.nos.boeing.com> <373420.97768.qm@web45509.mail.sp1.yahoo.com> <39C363776A4E8C4A94691D2BD9D1C9A106599177@XCH-NW-7V2.nw.nos.boeing.com> <342868.34354.qm@web45502.mail.sp1.yahoo.com> <39C363776A4E8C4A94691D2BD9D1C9A1065D7CB7@XCH-NW-7V2.nw.nos.boeing.com> <6B55F0F93C3E9D45AF283313B8D342BA0440F47F@TK5EX14MBXW652.wingroup.windeploy.ntdev.microsoft.com> <702481.50824.qm@web45515.mail.sp1.yahoo.com> <39C363776A4E8C4A94691D2BD9D1C9A1065D80A0@XCH-NW-7V2.nw.nos.boeing.com> <309242.20809.qm@web45513.mail.sp1.yahoo.com><39C363776A4E8C4A94691D2BD9D1C9A106624B24@XCH-NW-7V2.nw.nos.boeing.com><4AAAD7C1.2060709@gmail.com><39C363776A4E8C4A94691D2BD9D1C9A106624BD7@XCH-NW-7V2.nw.nos.boeing.com> <4AAAF8C8.6010103@gmail.com> <39C363776A4E8C4A94691D2BD9D1C9A10665C90F@XCH-NW-7V2.nw.nos.boeing.com>
User-agent: Thunderbird 2.0.0.6 (Windows/20070728)

On 2009-09-15 04:25, Templin, Fred L wrote:
> Brian,
> 
>> -----Original Message-----
>> From: Brian E Carpenter [mailto:brian.e.carpenter@gmail.com]
>> Sent: Friday, September 11, 2009 6:27 PM
>> To: Templin, Fred L
>> Cc: v6ops; Christian Huitema; ipv6@ietf.org; secdir@ietf.org
>> Subject: Re: Routing loop attacks using IPv6 tunnels
>>
>> On 2009-09-12 11:12, Templin, Fred L wrote:
>>> Brian,
>>>
>>>> -----Original Message-----
>>>> From: Brian E Carpenter [mailto:brian.e.carpenter@gmail.com]
>>>> Sent: Friday, September 11, 2009 4:06 PM
>>>> To: Templin, Fred L
>>>> Cc: Christian Huitema; v6ops; ipv6@ietf.org; secdir@ietf.org
>>>> Subject: Re: Routing loop attacks using IPv6 tunnels
>>>>
>>>> On 2009-09-12 09:13, Templin, Fred L wrote:
>>>>
>>>> (much text deleted)
>>>>
>>>>> Otherwise, the best solution IMHO
>>>>> would be to allow only routers (and not hosts) on the
>>>>> virtual links.
>>>> This was of course the original intention for 6to4, so
>>>> that any misconfiguration issues could be limited to presumably
>>>> trusted staff and boxes. Unfortunately, reality has turned out
>>>> to be different, with host-based automatic tunnels becoming
>>>> popular.
>>> Thanks. I was rethinking this a bit after sending, and
>>> I may have been too premature in saying routers only
>>> and not hosts.
>>>
>>> What I would rather have said was that mechanisms such as
>>> SEcure Neighbor Discovery (SEND) may be helpful in private
>>> addressing domains where spoofing is possible. Let me know
>>> if this makes sense.
>> Except for the practical problems involved in deploying SEND.
> 
> Can it be said that there is any appreciable operational
> experience with SEND yet? Are there implementations?

I'd like to know that too.

> 
>> We still have an issue in unmanaged networks.
> 
> By "unmanaged", how unmanaged do you mean? 

I was thinking of home networks, the kind where Teredo or
6to4 starts up spontaneously. Probably not a concern for
ISATAP sites.

    Brian

> ISATAP is
> intended for networks where there is at least some modicum
> of cooperative management. We want that it can also be used
> in "loosly" managed networks where there is an overall mutual
> spirit of cooperation but where site-internal link-layer
> address spoofing may still be possible. Can SEND be used
> for that, or do we need something else in addition (e.g.,
> a nonce with every message)?
> 
> Thanks - Fred
> fred.l.templin@boeing.com
> 
>>     Brian
>> --------------------------------------------------------------------
>> IETF IPv6 working group mailing list
>> ipv6@ietf.org
>> Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6
>> --------------------------------------------------------------------
>

Follow-Ups:
- RE: Routing loop attacks using IPv6 tunnels
  - From: "Templin, Fred L" <Fred.L.Templin@boeing.com>

References:
- Re: Routing loop attacks using IPv6 tunnels
  - From: Gabi Nakibly <gnakibly@yahoo.com>
- RE: Routing loop attacks using IPv6 tunnels
  - From: "Templin, Fred L" <Fred.L.Templin@boeing.com>
- Re: Routing loop attacks using IPv6 tunnels
  - From: Gabi Nakibly <gnakibly@yahoo.com>
- RE: Routing loop attacks using IPv6 tunnels
  - From: "Templin, Fred L" <Fred.L.Templin@boeing.com>

Prev by Date: I-D Action:draft-ietf-v6ops-v6inixp-02.txt
Next by Date: Re: Routing loop attacks using IPv6 tunnels
Previous by thread: Re: Review of 'draft-jiang-v6ops-incremental-cgn-02.txt'
Next by thread: RE: Routing loop attacks using IPv6 tunnels
Index(es):
- Date
- Thread