[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: 6to4 security questions
Pekka,
My fundamental question since the 6to4 spoofing issue was first
raised is whether this exposure to spoofing is a *significant*
addition to the generic exposure. If you were a spoofer, would
you really bother spoofing 6to4 rather than just plain spoofing? So
my feeling is that we really need more general work on anti-v6-spoofing,
with this viewed as once case among many.
I am reluctant to see us publish an RFC containing specific
heuristics for the 6to4 case until we have really looked at
spoofing in general.
Brian
Pekka Savola wrote:
>
> Hello,
>
> The most important part (how to go forward) got cut-off at the meeting, so
> I'm hoping to be able to hear some thoughts on the 6to4 security issues.
>
> * The most important thing:
> ==> document the existing problems and declare done or try to invent
> bigger fixes for the problems?
>
> * Draft has two parts
> - relay spoofing troubles
> - 6to4 usage analysis, guidelines for sec considerations
> implementation etc.
> ==> keep these separate or not? (the second are IMO ready)
>
> * Is the relay problem (spoofing from 2001::/16) something we need to
> worry about?
> - after all, you probably can spoof the source addresses without 6to4
> too..
> ==> if yes, how much effort should we put into it?
>
> * Should we analyze the DoS attacks (abusing relays) whether anything can
> be done against those in more detail?
> - already in the draft, maybe more
>
> --
> Pekka Savola "Tell me of difficulties surmounted,
> Netcore Oy not those you stumble over and fall"
> Systems. Networks. Security. -- Robert Jordan: A Crown of Swords
--
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Brian E Carpenter
Distinguished Engineer, Internet Standards & Technology, IBM
On assignment at the IBM Zurich Laboratory, Switzerland