Dong, > -----Original Message----- > From: Dong Zhang [mailto:[email protected]] > Sent: Sunday, September 13, 2009 6:27 PM > To: Templin, Fred L; Brian E Carpenter > Cc: v6ops; Christian Huitema; [email protected]; [email protected] > Subject: Re: RE: Routing loop attacks using IPv6 tunnels > > Hi Temlin, > > Please see inline. > > Templin, Fred L 2009-09-12 Wrote: > >Brian, > > > >> -----Original Message----- > >> From: Brian E Carpenter [mailto:[email protected]] > >> Sent: Friday, September 11, 2009 4:06 PM > >> To: Templin, Fred L > >> Cc: Christian Huitema; v6ops; [email protected]; [email protected] > >> Subject: Re: Routing loop attacks using IPv6 tunnels > >> > >> On 2009-09-12 09:13, Templin, Fred L wrote: > >> > >> (much text deleted) > >> > >> > Otherwise, the best solution IMHO > >> > would be to allow only routers (and not hosts) on the > >> > virtual links. > >> > >> This was of course the original intention for 6to4, so > >> that any misconfiguration issues could be limited to presumably > >> trusted staff and boxes. Unfortunately, reality has turned out > >> to be different, with host-based automatic tunnels becoming > >> popular. > > > >Thanks. I was rethinking this a bit after sending, and > >I may have been too premature in saying routers only > >and not hosts. > > > >What I would rather have said was that mechanisms such as > >SEcure Neighbor Discovery (SEND) may be helpful in private > >addressing domains where spoofing is possible. Let me know > >if this makes sense. > > > IMHO, most of the threats of automatic tunnels, like ISATAP and 6to4, > are resulting from spoofing. If SEND or CGA is possible to be used, > many attacks could be mitigated.
Thanks for voicing your opinion on this, and I agree. Fred [email protected] > > Thx. > > >Fred > >[email protected] > > > >> > >> Brian > >> > >> -------------------------------------------------------------------- > >> IETF IPv6 working group mailing list > >> [email protected] > >> Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6 > >> -------------------------------------------------------------------- > > > ------------------ > Dong Zhang > 2009-09-14 > > -------------------------------------------------------------------- > IETF IPv6 working group mailing list > [email protected] > Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6 > -------------------------------------------------------------------- -------------------------------------------------------------------- IETF IPv6 working group mailing list [email protected] Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6 --------------------------------------------------------------------
