Re: 6to4 security questions

[Alain Durand <Alain.Durand@Sun.COM>]

Erik Nordmark wrote:

> > Instead it makes sense trying to find sound operational practises that can
> > be applied while allowing nodes/sites using 6to4 to communicate with
> > nodes/sites that do not use 6to4 without severe security issues.
Give the current open, asymetrical, relay architecture of 6to4, this is 
not possible.

The core of the problem is that when decapsulating packets, 6to4 routers
have currently no way to know if packets are comming from a legitimate 
relay or not.
Any IPv4 host can impersonate a 6to4 relay and send a packet to a candid
6to4 host with IPv6 src the address of  an IPv6 victim.
The associated 6to4 router will decapsulate (no way to apply any check),
pass it to the candid host that will reply to the IPv6 src, that is, the 
victim.
Multiply this by thousands of candid hosts and you have a very nice
anonymized distributed denial of service attack on the IPv6 victim.
This is nothing new and was presented at London IETF.

There are in my opinion 4 ways forward:

1- Revisit 6to4 architecture to have bi-directional communication
   between the 6to4 router and the 6to4 relay. That way the decapsulating
   6to4 router could apply some checks and make sure packets are comming
   from a legitimate 6to4 relay.

2- Declare the problem  unsolvable and try to mitigate the effect,
   investigate iTrace solutions to enable tracing back the source of 
DDOS attack.

3- The main security concern is that the open relay architecture enables 
an attacker
   to defeat IPv4 ingress filtering (if in place) to do perform DDOS on 
a IPv6 host.
   There are already many other ways to create DDOS, so we should not 
worry to much.

4- Declare the problem unsolvable and serious. This means deprecating 6to4.


IMHO, 1) is a major undertaking, 2)  is scarry at least, 3) is 
irresponsible and
           4)  has tremendous consequences.

   - Alain.