4 Sep 2009 20:54
RE: Routing loop attacks using IPv6 tunnels
Templin, Fred L <Fred.L.Templin <at> boeing.com>
2009-09-04 18:54:39 GMT
2009-09-04 18:54:39 GMT
Hi Remi,
I couldn't parse most of your message; there is no such
thing as a /96 prefix.
Fred
fred.l.templin <at> boeing.com
> -----Original Message-----
> From: Rémi Després [mailto:remi.despres <at> free.fr]
> Sent: Friday, September 04, 2009 10:05 AM
> To: Templin, Fred L
> Cc: Gabi Nakibly; v6ops; 6man 6man; secdir <at> ietf.org
> Subject: Re: Routing loop attacks using IPv6 tunnels
>
> Comment below
>
> Le 3 sept. 09 à 17:59, Templin, Fred L a écrit :
>
> > Gabi,
> >
> >> -----Original Message-----
> >> From: Gabi Nakibly [mailto:gnakibly <at> yahoo.com]
> >> Sent: Thursday, September 03, 2009 8:00 AM
> >> To: Templin, Fred L; v6ops
> >> Cc: ipv6 <at> ietf.org; secdir <at> ietf.org
> >> Subject: Re: Routing loop attacks using IPv6 tunnels
> >>
> >> Hi Fred,
> >> see inline.
> >>
> >> Gabi
> >>
> >> ----- Original Message ----
> >>> From: "Templin, Fred L" <Fred.L.Templin <at> boeing.com>
> >>> To: Gabi Nakibly <gnakibly <at> yahoo.com>; v6ops <v6ops <at> ops.ietf.org>
> >>> Cc: ipv6 <at> ietf.org; secdir <at> ietf.org
> >>> Sent: Tuesday, September 1, 2009 6:49:56 PM
> >>> Subject: RE: Routing loop attacks using IPv6 tunnels
> >>>
> >>> Gabi,
> >>>
> >>>> -----Original Message-----
> >>>> From: Gabi Nakibly [mailto:gnakibly <at> yahoo.com]
> >>>> Sent: Monday, August 31, 2009 12:41 PM
> >>>> To: Templin, Fred L; v6ops
> >>>> Cc: ipv6 <at> ietf.org; secdir <at> ietf.org
> >>>> Subject: Re: Routing loop attacks using IPv6 tunnels
> >>>>
> >>>> Fred,
> >>>>
> >>>> I agree that the source address check discussed below should be
> >>>> made. I would
> >>> also add a forth
> >>>> check to mitigate attack #3 as a second layer of defense in case
> >>>> the opposite
> >>> ISATAP router does not
> >>>> make the proper check on the destination address.
> >>>>
> >>>> isatap_xmt() {
> >>>> ...
> >>>> if (src == "<foreign prefix>::0200:5efe:<my IP address>")
> >>>> drop_pkt(); /* attack #3 mitigation */
> >>>> ...
> >>>> }
> >>>
> >>> Having thought about it a bit, I agree but for ISATAP I see
> >>> the source address check as a MAY and the destination address
> >>> check as a SHOULD.
>
>
> The two following scenarios show in my understanding that ISATAP
> routers SHOULD check Source addresses of packets they receive in IPv6:
>
> SCENARIO 1: between two ISATAP routers A and B
>
> ISATAP router A receives in IPv6:
> Dst6 = </96 prefix of ISATAP router A> . <IPv4 address of ISATAP
> router B>
> Src6 = </96 prefix of ISATAP router B> . <IPv4 address of ISATAP
> router A>
>
> If ISATAP router A doesn't discard the packet because of its
> source address, it will encapsulate it with:
> Dst4 = <IPv4 address of ISATAP router B>
> Src4 = <IPv4 address of ISATAP router A>
>
> Then, ISATAP router B finds that Src6 and Src4 are consistent, and
> forwards the IPv6 packet to ISATAP router A.
> The routing loop is in place.
>
> SCENARIO 2: between an ISATAP router and a 6to4 relay router
>
> The ISATAP router receives in IPv6:
>
> Dst6 = </96 prefix of the ISATAP router> . <IPv4 address of the
> 6to4 relay>
> Src6 = 2002::/16 . <IPv4 address of the ISATAP router>
>
> If it doesn't discard the packet because of its source address, it
> will encapsulate it with:
> Dst4 = <IPv4 address of the 6to4 relay>
> Src4 = <IPv4 address of the ISATAP router>
>
> Then, the 6to4 relay finds that Src6 and Src4 are consistent, and
> forwards the IPv6 packet to the ISATAP router.
> The routing loop is in place.
>
> Anything missing?
>
> Regards,
> RD
>
--------------------------------------------------------------------
IETF IPv6 working group mailing list
ipv6 <at> ietf.org
Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6
--------------------------------------------------------------------
RSS Feed