[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Routing loop attacks using IPv6 tunnels
(one word reply in line...)
On 2009-09-16 03:34, Templin, Fred L wrote:
> Brian,
>
>> -----Original Message-----
>> From: Brian E Carpenter [mailto:brian.e.carpenter@gmail.com]
>> Sent: Monday, September 14, 2009 9:03 PM
>> To: Templin, Fred L
>> Cc: v6ops; Christian Huitema; ipv6@ietf.org; secdir@ietf.org
>> Subject: Re: Routing loop attacks using IPv6 tunnels
>>
>> On 2009-09-15 04:25, Templin, Fred L wrote:
>>> Brian,
>>>
>>>> -----Original Message-----
>>>> From: Brian E Carpenter [mailto:brian.e.carpenter@gmail.com]
>>>> Sent: Friday, September 11, 2009 6:27 PM
>>>> To: Templin, Fred L
>>>> Cc: v6ops; Christian Huitema; ipv6@ietf.org; secdir@ietf.org
>>>> Subject: Re: Routing loop attacks using IPv6 tunnels
>>>>
>>>> On 2009-09-12 11:12, Templin, Fred L wrote:
>>>>> Brian,
>>>>>
>>>>>> -----Original Message-----
>>>>>> From: Brian E Carpenter [mailto:brian.e.carpenter@gmail.com]
>>>>>> Sent: Friday, September 11, 2009 4:06 PM
>>>>>> To: Templin, Fred L
>>>>>> Cc: Christian Huitema; v6ops; ipv6@ietf.org; secdir@ietf.org
>>>>>> Subject: Re: Routing loop attacks using IPv6 tunnels
>>>>>>
>>>>>> On 2009-09-12 09:13, Templin, Fred L wrote:
>>>>>>
>>>>>> (much text deleted)
>>>>>>
>>>>>>> Otherwise, the best solution IMHO
>>>>>>> would be to allow only routers (and not hosts) on the
>>>>>>> virtual links.
>>>>>> This was of course the original intention for 6to4, so
>>>>>> that any misconfiguration issues could be limited to presumably
>>>>>> trusted staff and boxes. Unfortunately, reality has turned out
>>>>>> to be different, with host-based automatic tunnels becoming
>>>>>> popular.
>>>>> Thanks. I was rethinking this a bit after sending, and
>>>>> I may have been too premature in saying routers only
>>>>> and not hosts.
>>>>>
>>>>> What I would rather have said was that mechanisms such as
>>>>> SEcure Neighbor Discovery (SEND) may be helpful in private
>>>>> addressing domains where spoofing is possible. Let me know
>>>>> if this makes sense.
>>>> Except for the practical problems involved in deploying SEND.
>>> Can it be said that there is any appreciable operational
>>> experience with SEND yet? Are there implementations?
>> I'd like to know that too.
>>
>>>> We still have an issue in unmanaged networks.
>>> By "unmanaged", how unmanaged do you mean?
>> I was thinking of home networks, the kind where Teredo or
>> 6to4 starts up spontaneously. Probably not a concern for
>> ISATAP sites.
>
> OK, thanks for the clarification. I think you probably
> mean home networks where the home gateway has not yet
> been turned into an ISATAP router - else, it would be
> a managed network. Does that sound right?
Yes
Brian
>
> Fred
> fred.l.templin@boeing.com
>
>> Brian
>>
>>> ISATAP is
>>> intended for networks where there is at least some modicum
>>> of cooperative management. We want that it can also be used
>>> in "loosly" managed networks where there is an overall mutual
>>> spirit of cooperation but where site-internal link-layer
>>> address spoofing may still be possible. Can SEND be used
>>> for that, or do we need something else in addition (e.g.,
>>> a nonce with every message)?
>>>
>>> Thanks - Fred
>>> fred.l.templin@boeing.com
>>>
>>>> Brian
>>>>
> --------------------------------------------------------------------
>>>> IETF IPv6 working group mailing list
>>>> ipv6@ietf.org
>>>> Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6
>>>>
> --------------------------------------------------------------------
>> --------------------------------------------------------------------
>> IETF IPv6 working group mailing list
>> ipv6@ietf.org
>> Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6
>> --------------------------------------------------------------------
>