[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: Routing loop attacks using IPv6 tunnels

To: Dmitry Anipko <Dmitry.Anipko@microsoft.com>, Gabi Nakibly <gnakibly@yahoo.com>, v6ops <v6ops@ops.ietf.org>
Subject: RE: Routing loop attacks using IPv6 tunnels
From: "Templin, Fred L" <Fred.L.Templin@boeing.com>
Date: Fri, 12 Mar 2010 13:13:05 -0800
Accept-language: en-US
Acceptlanguage: en-US
Cc: "ipv6@ietf.org" <ipv6@ietf.org>, "secdir@ietf.org" <secdir@ietf.org>
In-reply-to: <DD1A73D9E9C89144A927C5080F70285A9366BCAF28@NA-EXMSG-S702.segroup.winse.corp.microsoft.com>
References: <475898.88672.qm@web45510.mail.sp1.yahoo.com><39C363776A4E8C4A94 691D2BD9D1C9A106514554@XCH-NW-7V2.nw.nos.boeing.com><39C363776A4E8C4A94691D 2BD9D1C9A1065145AE@XCH-NW-7V2.nw.nos.boeing.com><39C363776A4E8C4A94691D2BD9 D1C9A106555996@XCH-NW-7V2.nw.nos.boeing.com><212591.98462.qm@web45502.mail. sp1.yahoo.com><39C363776A4E8C4A94691D2BD9D1C9A106555B3D@XCH-NW-7V2.nw.nos.boeing.com> <DD1A73D9E9C89144A927C5080F70285A9366BCAF28@NA-EXMSG-S702.segroup.winse.corp.microsoft.com>

Hi Dmitry,

> -----Original Message-----
> From: Dmitry Anipko [mailto:Dmitry.Anipko@microsoft.com]
> Sent: Friday, March 12, 2010 12:54 PM
> To: Templin, Fred L; Gabi Nakibly; v6ops
> Cc: ipv6@ietf.org; secdir@ietf.org
> Subject: RE: Routing loop attacks using IPv6 tunnels
> 
> Hello,
> 
> I wanted to follow up on Fred's comment earlier in this thread:
> 
> >> OK. That will greatly simplify the checks needed for new
> automatic tunneling protocols that have a format other
> than ip-proto-41.
> 
> For the designers of new tunneling protocols, shall perhaps a recommendation on best practices be
> included into the draft or another document, that for the new tunnels a different protocol value /
> format should be used?

Are you are referring here to 'draft-nakibly-v6ops-tunnel-loop-01'?
If so, IMHO this document would be the natural location for such a
recommendation. 

> Examples of such protocol / formats could include using a different next-protocol value, potentially
> with some multiplexing schema if just using different next-protocol values is not scalable, or
> possibly some other format.

Yes, I think it would be very good to declare ip-proto-41 as
fully-developed and recommend that new tunneling protocols use
a different ip protocol number and/or TCP/UDP port number. This
would greatly reduce the concern for having to go back and
revisit tunneling implementations that perform src/dst checks
if a new tunneling protocol happens to emerge. Gabi - do you
have any thoughts on this?

Thanks - Fred
fred.l.templin@boeing.com

> Thank you,
> Dmitry
> 
> -----Original Message-----
> From: ipv6-bounces@ietf.org [mailto:ipv6-bounces@ietf.org] On Behalf Of Templin, Fred L
> Sent: Friday, August 28, 2009 1:25 PM
> To: Gabi Nakibly; v6ops
> Cc: ipv6@ietf.org; secdir@ietf.org
> Subject: RE: Routing loop attacks using IPv6 tunnels
> 
> Gabi,
> 
> > -----Original Message-----
> > From: Gabi Nakibly [mailto:gnakibly@yahoo.com]
> > Sent: Friday, August 28, 2009 12:07 PM
> > To: Templin, Fred L; v6ops
> > Cc: ipv6@ietf.org; secdir@ietf.org
> > Subject: Re: Routing loop attacks using IPv6 tunnels
> >
> > Correct. All the attacks rely on the fact that the ISATAP router
> encapsulates/decapsulates a packet
> > the 6to4 relay decapsulates/encapsulates, respectively. So the two
> tunnels must have the same
> > encapsulation type.
> 
> OK. That will greatly simplify the checks needed for new
> automatic tunneling protocols that have a format other
> than ip-proto-41.
> 
> Fred
> fred.l.templin@boeing.com
> 
> > ----- Original Message ----
> > > From: "Templin, Fred L" <Fred.L.Templin@boeing.com>
> > > To: Gabi Nakibly <gnakibly@yahoo.com>; v6ops <v6ops@ops.ietf.org>
> > > Cc: ipv6@ietf.org; secdir@ietf.org
> > > Sent: Friday, August 28, 2009 7:23:03 PM
> > > Subject: RE: Routing loop attacks using IPv6 tunnels
> > >
> > > Gabi,
> > >
> > > Correct me if I am wrong, but if there were a new version
> > > of ISATAP that did not use ip-proto-41 encapsulation but
> > > instead used a different kind of encapsulation, then it
> > > need not concern itself with routing loop interactions
> > > with 6to4 relays since 6to4 relays only know about
> > > ip-proto-41. Does that match your understanding?
> > >
> > > Thanks - Fred
> > > fred.l.templin@boeing.com
> >
> >
> >
> >
> --------------------------------------------------------------------
> IETF IPv6 working group mailing list
> ipv6@ietf.org
> Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6
> --------------------------------------------------------------------

Follow-Ups:
- Re: Routing loop attacks using IPv6 tunnels
  - From: Gabi Nakibly <gnakibly@yahoo.com>

Prev by Date: Re: I-D.ietf-v6ops-cpe-simple-security-09 - ICMP Error Messages + Vocabulary
Next by Date: Re: Routing loop attacks using IPv6 tunnels
Previous by thread: I-D Action:draft-ietf-v6ops-tunnel-security-concerns-02.txt
Next by thread: Re: Routing loop attacks using IPv6 tunnels
Index(es):
- Date
- Thread