Glenn Morrow wrote in the IPv6 mailing list:
>Is this the appropriate group to discuss possible improvements
>to detection, prevention, reporting and action against DoS
>and DDoS attack for IPv6?
>
>It seems to me that perhaps a less constrained set of
>mechanisms could be put in place to more effectively
>deal with the issue than in IPv4. It may also be possible
>to better harmonize these solutions with proposed node
>mobility, renumbering and multihoming solutions.
We believe addressing DoS and DDoS concerns should be a
high priority.
One idea we have played with is a general-purpose
IP-layer DoS protection scheme, applicable to both
existing and new protocols. For instance, servers could
use a combination of additional packet roundtrips,
client-stored state, and cryptographic puzzles to
prevent resource starvation, requests from forged
source addresses, and massive request generation from
distributed clients. Today, people seem to be hoping
that the application protocols do this by
themselves. And, frankly, we're not doing a very good
job at that. Most protocols, even security protocols,
are known to have DoS problems that would have been
possible to solve, had more attention be paid to them
in the design work.
The question is, is there something that could be done
as a general support in IP (IPv6) for this? Such as
ICMP mechanisms that demand puzzle solving from a
client before proceeding etc. Needless to say, these
mechanisms shouldn't create additional DoS
possibilities.
At this time we are not sure what the mechanisms in
detail could be, whether they work on the IP layer or
if they are reusable protocol components integrated to
application protocols (a la SSL), or whether it is
possible to avoid additional DoS dangers. Or if we
just need a protocol designer's guide that explains
how new protocols must deal with DoS attacks.
>Would people recommend a new WG to deal with
>these particulars or do people feel that this
>or another existing WG is sufficient?
Well, there are a number of potential discussion places:
* The current DoS and security issues in mobile IP would
call for some discussion in that group.
* The current DoS issues for some of the IPv6 signaling
and address autoconfiguration call for some discussion
in that group. There's also some autoconfiguration
issues in the zeroconf WG.
* In the Internet Area, there is the itrace WG which is
specifically chartered for looking into DoS, but is
looking only at a particular solution. Is this
solution sufficient for all DoS issues? We're not sure
but at least some of the individual DoS concerns such
as attacking address autoconfiguration don't really
fall on the area that i-trace can deal with.
* The HIP BOF on Tuesday seemed to decide that a
new WG will be created to implement new identity
mechanisms in IP, in order to deal better with
mobility and DoS attacks.
* Perhaps a completely new, separate working group might
also be a possibility.
In any case, we think DoS should get more attention
than many of the other issues such as confidentiality
and privacy that have been dealt with early.
Jari Arkko
Pekka Nikander
Ericsson
--------------------------------------------------------------------
IETF IPng Working Group Mailing List
IPng Home Page: http://playground.sun.com/ipng
FTP archive: ftp://playground.sun.com/pub/ipng
Direct all administrative requests to [EMAIL PROTECTED]
--------------------------------------------------------------------
