On Thu, 20 Dec 2001, Francis Dupont wrote: > In your previous mail you wrote: > > There was a draft on "local-link" security threats: > > http://www.ietf.org/internet-drafts/draft-kempf-ipng-netaccess-threats-00.txt > > Some of these may apply _remotely_ to nodes which implement automatic > tunneling mechanisms (autotunnel, 6to4, ...), too. > > => IPv4-compatible IPv6 addresses are phased out, 6to4 documents > have an explicit section about needed checks against this kind of > attacks. If you don't fill the ... you are just breaking an open door (:-)!
ISATAP, perhaps (haven't really looked into it yet). I disagree about 6to4: I wouldn't say security considerations is an explicit section as such, and certainly not about _this_ kind of attacks. Just a rather vague notes. Also note that autotunnel spec does not require that destination address must be compatible address when decapsulating. There's not all that much about source either. The issue is not about breaking the door but realizing someone left the back door open. > PS: I agree blind decapsulation is bad but this is not a scoop. Good we agree on blind decapsulation. I dislike that security was not discussed properly in the main context of the draft; more like as just an afterthough "for you security geeks, here are a few possible problems.." -- Pekka Savola "Tell me of difficulties surmounted, Netcore Oy not those you stumble over and fall" Systems. Networks. Security. -- Robert Jordan: A Crown of Swords -------------------------------------------------------------------- IETF IPng Working Group Mailing List IPng Home Page: http://playground.sun.com/ipng FTP archive: ftp://playground.sun.com/pub/ipng Direct all administrative requests to [EMAIL PROTECTED] --------------------------------------------------------------------
