Hi Temlin, Please see inline.
Templin, Fred L 2009-09-12 Wrote: >Brian, > >> -----Original Message----- >> From: Brian E Carpenter [mailto:[email protected]] >> Sent: Friday, September 11, 2009 4:06 PM >> To: Templin, Fred L >> Cc: Christian Huitema; v6ops; [email protected]; [email protected] >> Subject: Re: Routing loop attacks using IPv6 tunnels >> >> On 2009-09-12 09:13, Templin, Fred L wrote: >> >> (much text deleted) >> >> > Otherwise, the best solution IMHO >> > would be to allow only routers (and not hosts) on the >> > virtual links. >> >> This was of course the original intention for 6to4, so >> that any misconfiguration issues could be limited to presumably >> trusted staff and boxes. Unfortunately, reality has turned out >> to be different, with host-based automatic tunnels becoming >> popular. > >Thanks. I was rethinking this a bit after sending, and >I may have been too premature in saying routers only >and not hosts. > >What I would rather have said was that mechanisms such as >SEcure Neighbor Discovery (SEND) may be helpful in private >addressing domains where spoofing is possible. Let me know >if this makes sense. > IMHO, most of the threats of automatic tunnels, like ISATAP and 6to4, are resulting from spoofing. If SEND or CGA is possible to be used, many attacks could be mitigated. Thx. >Fred >[email protected] > >> >> Brian >> >> -------------------------------------------------------------------- >> IETF IPv6 working group mailing list >> [email protected] >> Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6 >> -------------------------------------------------------------------- ------------------ Dong Zhang 2009-09-14 -------------------------------------------------------------------- IETF IPv6 working group mailing list [email protected] Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6 --------------------------------------------------------------------
