[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: RE: Routing loop attacks using IPv6 tunnels

To: "Dong Zhang" <zhangdong_rh@huaweisymantec.com>, "Brian E Carpenter" <brian.e.carpenter@gmail.com>
Subject: RE: RE: Routing loop attacks using IPv6 tunnels
From: "Templin, Fred L" <Fred.L.Templin@boeing.com>
Date: Tue, 15 Sep 2009 08:48:53 -0700
Cc: "v6ops" <v6ops@ops.ietf.org>, "Christian Huitema" <huitema@microsoft.com>, <ipv6@ietf.org>, <secdir@ietf.org>
In-reply-to: <200909140926442553863@huaweisymantec.com>
References: <31484.26522.qm@web45503.mail.sp1.yahoo.com><39C363776A4E8C4A94691D2BD9D1C9A106555B38@XCH-NW-7V2.nw.nos.boeing.com><373420.97768.qm@web45509.mail.sp1.yahoo.com><39C363776A4E8C4A94691D2BD9D1C9A106599177@XCH-NW-7V2.nw.nos.boeing.com><342868.34354.qm@web45502.mail.sp1.yahoo.com><39C363776A4E8C4A94691D2BD9D1C9A1065D7CB7@XCH-NW-7V2.nw.nos.boeing.com><6B55F0F93C3E9D45AF283313B8D342BA0440F47F@TK5EX14MBXW652.wingroup.windeploy.ntdev.microsoft.com><702481.50824.qm@web45515.mail.sp1.yahoo.com><39C363776A4E8C4A94691D2BD9D1C9A1065D80A0@XCH-NW-7V2.nw.nos.boeing.com><309242.20809.qm@web45513.mail.sp1.yahoo.com><39C363776A4E8C4A94691D2BD9D1C9A106624B24@XCH-NW-7V2.nw.nos.boeing.com><4AAAD7C1.2060709@gmail.com><39C363776A4E8C4A94691D2BD9D1C9A106624BD7@XCH-NW-7V2.nw.nos.boeing.com> <200909140926442553863@huaweisymantec.com>

Dong,

> -----Original Message-----
> From: Dong Zhang [mailto:zhangdong_rh@huaweisymantec.com]
> Sent: Sunday, September 13, 2009 6:27 PM
> To: Templin, Fred L; Brian E Carpenter
> Cc: v6ops; Christian Huitema; ipv6@ietf.org; secdir@ietf.org
> Subject: Re: RE: Routing loop attacks using IPv6 tunnels
> 
> Hi Temlin,
> 
> Please see inline.
> 
> Templin, Fred L 2009-09-12 Wrote:
> >Brian,
> >
> >> -----Original Message-----
> >> From: Brian E Carpenter [mailto:brian.e.carpenter@gmail.com]
> >> Sent: Friday, September 11, 2009 4:06 PM
> >> To: Templin, Fred L
> >> Cc: Christian Huitema; v6ops; ipv6@ietf.org; secdir@ietf.org
> >> Subject: Re: Routing loop attacks using IPv6 tunnels
> >>
> >> On 2009-09-12 09:13, Templin, Fred L wrote:
> >>
> >> (much text deleted)
> >>
> >> > Otherwise, the best solution IMHO
> >> > would be to allow only routers (and not hosts) on the
> >> > virtual links.
> >>
> >> This was of course the original intention for 6to4, so
> >> that any misconfiguration issues could be limited to presumably
> >> trusted staff and boxes. Unfortunately, reality has turned out
> >> to be different, with host-based automatic tunnels becoming
> >> popular.
> >
> >Thanks. I was rethinking this a bit after sending, and
> >I may have been too premature in saying routers only
> >and not hosts.
> >
> >What I would rather have said was that mechanisms such as
> >SEcure Neighbor Discovery (SEND) may be helpful in private
> >addressing domains where spoofing is possible. Let me know
> >if this makes sense.
> >
> IMHO, most of the threats of automatic tunnels, like ISATAP and 6to4,
> are resulting from spoofing. If SEND or CGA is possible to be used,
> many attacks could be mitigated.

Thanks for voicing your opinion on this, and I agree.

Fred
fred.l.templin@boeing.com

> 
> Thx.
> 
> >Fred
> >fred.l.templin@boeing.com
> >
> >>
> >>      Brian
> >>
> >>
--------------------------------------------------------------------
> >> IETF IPv6 working group mailing list
> >> ipv6@ietf.org
> >> Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6
> >>
--------------------------------------------------------------------
> 
> 
> ------------------
> Dong Zhang
> 2009-09-14
> 
> --------------------------------------------------------------------
> IETF IPv6 working group mailing list
> ipv6@ietf.org
> Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6
> --------------------------------------------------------------------

References:
- Re: Routing loop attacks using IPv6 tunnels
  - From: Gabi Nakibly <gnakibly@yahoo.com>
- RE: Routing loop attacks using IPv6 tunnels
  - From: "Templin, Fred L" <Fred.L.Templin@boeing.com>
- Re: Routing loop attacks using IPv6 tunnels
  - From: Gabi Nakibly <gnakibly@yahoo.com>
- RE: Routing loop attacks using IPv6 tunnels
  - From: "Templin, Fred L" <Fred.L.Templin@boeing.com>

Prev by Date: RE: Routing loop attacks using IPv6 tunnels
Next by Date: Re: Routing loop attacks using IPv6 tunnels
Previous by thread: Re: Routing loop attacks using IPv6 tunnels
Next by thread: Re: Routing loop attacks using IPv6 tunnels
Index(es):
- Date
- Thread