Folks, We have published a revision of our I-D entitled "Security Implications of IPv6 options of Type 10xxxxxx", about IPv6 smurf amplifiers.
The I-D is available at: <http://www.ietf.org/internet-drafts/draft-gont-6man-ipv6-smurf-amplifier-01.txt>. The I-D is targeted at the 6man wg, but I thought it might be of interest to v6ops folks, too. Any comments will be very appreciated. Thanks! Best regards, Fernando -------- Original Message -------- From: - Fri Jan 11 13:40:47 2013 From: [email protected] To: [email protected] Cc: [email protected] Subject: New Version Notification for draft-gont-6man-ipv6-smurf-amplifier-01.txt Message-ID: <[email protected]> Date: Fri, 11 Jan 2013 08:40:12 -0800 A new version of I-D, draft-gont-6man-ipv6-smurf-amplifier-01.txt has been successfully submitted by Fernando Gont and posted to the IETF repository. Filename: draft-gont-6man-ipv6-smurf-amplifier Revision: 01 Title: Security Implications of IPv6 options of Type 10xxxxxx Creation date: 2013-01-11 WG ID: Individual Submission Number of pages: 9 URL: http://www.ietf.org/internet-drafts/draft-gont-6man-ipv6-smurf-amplifier-01.txt Status: http://datatracker.ietf.org/doc/draft-gont-6man-ipv6-smurf-amplifier Htmlized: http://tools.ietf.org/html/draft-gont-6man-ipv6-smurf-amplifier-01 Diff: http://www.ietf.org/rfcdiff?url2=draft-gont-6man-ipv6-smurf-amplifier-01 Abstract: When an IPv6 node processing an IPv6 packet does not support an IPv6 option whose two-highest-order bits of the Option Type are '10', it is required to respond with an ICMPv6 Parameter Problem error message, even if the Destination Address of the packet was a multicast address. This feature provides an amplification vector, opening the door to an IPv6 version of the 'Smurf' Denial-of-Service (DoS) attack found in IPv4 networks. This document discusses the security implications of the aforementioned options, and formally updates RFC 2460 such that this attack vector is eliminated. Additionally, it describes a number of operational mitigations that could be deployed against this attack vector. The IETF Secretariat _______________________________________________ OPSEC mailing list [email protected] https://www.ietf.org/mailman/listinfo/opsec
