Hi Tony,
On 6-Jun-2007, at 19:31, Tony Hain wrote:
There is no 'amplification', so the abstract is just wrong.
The candidate -01 contains the following text:
A single RH0 may contain multiple waypoint addresses, and the same
address may be included more than once in the same RH0. This allows
a packet to be constructed such that it will oscillate between two
RH0-processing hosts or routers many times. This allows a stream of
packets from an attacker to be amplified along the path between two
remote routers, which could be used to cause congestion along
arbitrary remote paths and hence act as a denial-of-service
mechanism. 88-fold amplification has been demonstrated using this
technique [CanSecWest07].
This technique can also be used as a more general traffic amplifier,
accumulating attack traffic in-flight between two well-connected but
mutually-distant waypoints and then finally delivering it towards a
third party once the RH0-directed oscillations for each packet are
complete. 7-fold amplification has been postulated using this
"capacitive effect" [CanSecWest07].
Various IPv6 transition mechanisms involve the transmission of IPv6
packets through tunnels built on IPv4 infrastructure (e.g.
[RFC2893], [RFC3056]). Tunnels remain widely-used at the time of
writing for the transmission of IPv6 traffic over IPv4 networks.
The
use of such tunnels can result in IPv6 paths which include a small
number of routers apparently connected by very high latency circuits
(tunnels). Such paths provide opportunities to keep packets in-
flight for longer, with corresponding increases in amplification
potential.
That text attempts to summarise three techniques which, facilitated
by the widespread availability of RH0 processing, facilitates
amplification which could be used as part of a denial-of-service attack.
If you have objections to the text I quoted above, it would help me
if you could spell them out. I find it far easier to grasp objections
if they are grounded in specific text.
The crap in the document about an anycast destination being
an amplification shows how little understanding there is about the
concept.
If you can find text that equates an anycast destination being "an
amplification", please point it out so I can remove it.
Anycast == 'unicast to the nearest instance'.
Indeed. I was one of the authors of BCP 126 and have some familiarity
with the concept.
/rant
I am getting really tired of the recent efforts by the telco world
trying to
kill off value to the end user, just because they get no direct
benefit or
perceive a direct threat to their dying model.
rant/
I'm confused by your references to telco bias, and I'd appreciate
some clarification.
Regards,
Joe
--------------------------------------------------------------------
IETF IPv6 working group mailing list
[email protected]
Administrative Requests: https://www1.ietf.org/mailman/listinfo/ipv6
--------------------------------------------------------------------
