[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: 6to4 security questions

To: "Brian E Carpenter" <brian@hursley.ibm.com>,"Pekka Savola" <pekkas@netcore.fi>
Subject: RE: 6to4 security questions
From: "Christian Huitema" <huitema@windows.microsoft.com>
Date: Fri, 22 Nov 2002 18:33:03 -0800
Cc: <v6ops@ops.ietf.org>
Delivery-date: Fri, 22 Nov 2002 18:35:18 -0800
Envelope-to: v6ops-data@psg.com
Sender: owner-v6ops@ops.ietf.org
Thread-index: AcKR+OtYtasEX6+yTBWEZpHln4sVYAAnIL8w
Thread-topic: 6to4 security questions

Reading this thread, it seems that many people are confusing several
aspects of the 6to4 security issue. Maybe we should start by writing a
complete security analysis, something a bit more detailed than the
current draft. In any case, let's look at the reflection attack.

The attack to which we kept being pointed is the following: a random
host sends a packet to an IPv6 server listening to a 6to4 address
through a 6to4 router (not to a 6to4 relay); the IPv6 server sends a
response packet to the (forged) IPv6 source address of the incoming
packet.

The vulnerability is that, with this mechanism, a DOS attacker can use
an IPv6 server listening on a 6to4 address to "launder" a DOS attack
launched against an IPv6 site: the IPv6 packets will not contain any
trace of the original IPv4 address from which the attack was launched.
Clearly, that is bad. There are however a number of mitigating factors:

1) The attack does not include a multiplier effect; the amount of
traffic directed at the target will be about equal to the amount of
traffic sent by the attacker.

2) The attack packets go through a choke point, the 6to4 relay between
the laundering site and the target.

3) The packets received by the target contain the address of the
relaying 6to4 site.

4) The payload of the packets received by the target will be a response
generated by the laundering server, which limits any "magic packet"
issue.

5) The attack only provides value if the attacker's IPv4 connection was
subject to ingress filtering, which is alas not a very common case.

Because of the absence of a magic packet effect, this attack is only
really powerful if it is practiced by a "fleet of zombies" using a large
number of reflectors. I personally don't think that fleets of zombies
can be practically eliminated by simply observing their IPv4 addresses.
I also don't think that the attacker whose virus managed to enslave a
large number of zombies particularly cares that these zombies will be
eventually discovered; in practice, the zombies are expandable. I
suspect that the attacker will rather forgo the reflection exercise,
because an attack in which the content of packets can be chosen is more
powerful than an attack in which the source of packets can be hidden. In
any case, given a large enough fleet of zombies, it is statistically
likely that many zombies will not be submitted to IPv4 ingress
filtering; those who are can very often randomize at least some bits of
their source address, mimicking another fellow on the same LAN.

In short, yes it is a vulnerability, but it is not a terribly dangerous
one, and it is a vulnerability that will in any case disappear with
6to4, when sites receive native IPv6 connectivity. So, yes, a fix is
welcome; however, the fix should not be so drastic as to impede the
"autonomous deployment" advantage of 6to4.

-- Christian Huitema

Follow-Ups:
- Re: 6to4 security questions
  - From: Alain Durand <Alain.Durand@Sun.COM>
- RE: 6to4 security questions
  - From: Pekka Savola <pekkas@netcore.fi>
- Re: 6to4 security questions
  - From: Brian E Carpenter <brian@hursley.ibm.com>

Prev by Date: Re: Comments and alternatives to draftt-huston-ietf-pact-00 (long)
Next by Date: RE: 6to4 usage scenarios
Previous by thread: Re: 6to4 security questions
Next by thread: Re: 6to4 security questions
Index(es):
- Date
- Thread