> -----Original Message----- > From: Iljitsch van Beijnum [mailto:iljit...@muada.com] > Sent: Monday, July 20, 2009 7:57 AM > To: Dave Thaler > Cc: Christian Huitema; Xing Li; 6man; Behave WG > Subject: Re: [BEHAVE] Perils of structured host identifiers > > On 17 jul 2009, at 20:29, Dave Thaler wrote: > > >> In the NAT64 case that would mean that a fake NAT64 > >> tries to spoof the source addresses (that encode IPv4 addresses) of > >> the real NAT64. > > > Now you lost me. If a NAT64 (whether stateless or stateful) uses > > a CGA, then it can be validated as being the legitimate source of > > an IPv6 packet (that was translated from IPv4). Another IPv6 > > source cannot spoof such traffic. > > This can arguably be useful if the first packet originates from the > real or fake NAT64. But that would be rare, the first packet comes > from the client host. If this host can be tricked into sending packets > to the fake NAT64, there's not much point in doing a CGA check for the > return traffic: even if the client knows the traffic is fake the fact > that the traffic was directed to the fake NAT64 in the first place > creates a successful denial of service.
Sounds like we're in sync now. We agree it can be arguably useful in cases that may not be important, because of the vulnerabilities that still exist on the IPv4 side. -Dave -------------------------------------------------------------------- IETF IPv6 working group mailing list ipv6@ietf.org Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6 --------------------------------------------------------------------
