Hi Remi, I couldn't parse most of your message; there is no such thing as a /96 prefix.
Fred [email protected] > -----Original Message----- > From: Rémi Després [mailto:[email protected]] > Sent: Friday, September 04, 2009 10:05 AM > To: Templin, Fred L > Cc: Gabi Nakibly; v6ops; 6man 6man; [email protected] > Subject: Re: Routing loop attacks using IPv6 tunnels > > Comment below > > Le 3 sept. 09 à 17:59, Templin, Fred L a écrit : > > > Gabi, > > > >> -----Original Message----- > >> From: Gabi Nakibly [mailto:[email protected]] > >> Sent: Thursday, September 03, 2009 8:00 AM > >> To: Templin, Fred L; v6ops > >> Cc: [email protected]; [email protected] > >> Subject: Re: Routing loop attacks using IPv6 tunnels > >> > >> Hi Fred, > >> see inline. > >> > >> Gabi > >> > >> ----- Original Message ---- > >>> From: "Templin, Fred L" <[email protected]> > >>> To: Gabi Nakibly <[email protected]>; v6ops <[email protected]> > >>> Cc: [email protected]; [email protected] > >>> Sent: Tuesday, September 1, 2009 6:49:56 PM > >>> Subject: RE: Routing loop attacks using IPv6 tunnels > >>> > >>> Gabi, > >>> > >>>> -----Original Message----- > >>>> From: Gabi Nakibly [mailto:[email protected]] > >>>> Sent: Monday, August 31, 2009 12:41 PM > >>>> To: Templin, Fred L; v6ops > >>>> Cc: [email protected]; [email protected] > >>>> Subject: Re: Routing loop attacks using IPv6 tunnels > >>>> > >>>> Fred, > >>>> > >>>> I agree that the source address check discussed below should be > >>>> made. I would > >>> also add a forth > >>>> check to mitigate attack #3 as a second layer of defense in case > >>>> the opposite > >>> ISATAP router does not > >>>> make the proper check on the destination address. > >>>> > >>>> isatap_xmt() { > >>>> ... > >>>> if (src == "<foreign prefix>::0200:5efe:<my IP address>") > >>>> drop_pkt(); /* attack #3 mitigation */ > >>>> ... > >>>> } > >>> > >>> Having thought about it a bit, I agree but for ISATAP I see > >>> the source address check as a MAY and the destination address > >>> check as a SHOULD. > > > The two following scenarios show in my understanding that ISATAP > routers SHOULD check Source addresses of packets they receive in IPv6: > > SCENARIO 1: between two ISATAP routers A and B > > ISATAP router A receives in IPv6: > Dst6 = </96 prefix of ISATAP router A> . <IPv4 address of ISATAP > router B> > Src6 = </96 prefix of ISATAP router B> . <IPv4 address of ISATAP > router A> > > If ISATAP router A doesn't discard the packet because of its > source address, it will encapsulate it with: > Dst4 = <IPv4 address of ISATAP router B> > Src4 = <IPv4 address of ISATAP router A> > > Then, ISATAP router B finds that Src6 and Src4 are consistent, and > forwards the IPv6 packet to ISATAP router A. > The routing loop is in place. > > SCENARIO 2: between an ISATAP router and a 6to4 relay router > > The ISATAP router receives in IPv6: > > Dst6 = </96 prefix of the ISATAP router> . <IPv4 address of the > 6to4 relay> > Src6 = 2002::/16 . <IPv4 address of the ISATAP router> > > If it doesn't discard the packet because of its source address, it > will encapsulate it with: > Dst4 = <IPv4 address of the 6to4 relay> > Src4 = <IPv4 address of the ISATAP router> > > Then, the 6to4 relay finds that Src6 and Src4 are consistent, and > forwards the IPv6 packet to the ISATAP router. > The routing loop is in place. > > Anything missing? > > Regards, > RD > -------------------------------------------------------------------- IETF IPv6 working group mailing list [email protected] Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6 --------------------------------------------------------------------
