Re: IPv6 Security Overview

[David Malone <dwmalone=v6lists@maths.tcd.ie>]

On Wed, Jan 04, 2006 at 01:52:57AM -0800, Vishwas Manral wrote:
>    I think a simple check at a firewall could be to see that the
>    routing header does not contain the same address more then once, just as
>    we have a check for the multicast address.
>    
> => I don't think it matters.
> VM> I agree the TTL/ Hop Limit changes etc. However by keeping address
> alternating i.e. Address [2x] = A, Address [2x+1] = B for x = 1 to n, we
> make a packet transit the same router n times, thus increasing the load
> on a router. It is a simple amplification attack.


I think I agree with Francis, that it doesn't really matter. However,
it is probably worth noting that your check does not prevent the
attack either. If you can find 128 live addresses on either side
of the router you can carry out the attack without listing any
address twice.

(I guess you might want to use a routing header that traverses
a single router a few times to get a better estimate of the RTT
through that router.)

>    It would have helped if the flow label field was not mutable(and hence
>    protected by AH) as it is anyway dependent on the source address.

FWIF, RFC 3697 already says the flowlabel should be delivered
unchanged to destination nodes. Though, as you point out, having
IPsec enforce that is a different matter.

	David.