Comment below
Le 3 sept. 09 à 17:59, Templin, Fred L a écrit :
Gabi,
-----Original Message-----
From: Gabi Nakibly [mailto:gnaki...@yahoo.com]
Sent: Thursday, September 03, 2009 8:00 AM
To: Templin, Fred L; v6ops
Cc: ipv6@ietf.org; sec...@ietf.org
Subject: Re: Routing loop attacks using IPv6 tunnels
Hi Fred,
see inline.
Gabi
----- Original Message ----
From: "Templin, Fred L" <fred.l.temp...@boeing.com>
To: Gabi Nakibly <gnaki...@yahoo.com>; v6ops <v6...@ops.ietf.org>
Cc: ipv6@ietf.org; sec...@ietf.org
Sent: Tuesday, September 1, 2009 6:49:56 PM
Subject: RE: Routing loop attacks using IPv6 tunnels
Gabi,
-----Original Message-----
From: Gabi Nakibly [mailto:gnaki...@yahoo.com]
Sent: Monday, August 31, 2009 12:41 PM
To: Templin, Fred L; v6ops
Cc: ipv6@ietf.org; sec...@ietf.org
Subject: Re: Routing loop attacks using IPv6 tunnels
Fred,
I agree that the source address check discussed below should be
made. I would
also add a forth
check to mitigate attack #3 as a second layer of defense in case
the opposite
ISATAP router does not
make the proper check on the destination address.
isatap_xmt() {
...
if (src == "<foreign prefix>::0200:5efe:<my IP address>")
drop_pkt(); /* attack #3 mitigation */
...
}
Having thought about it a bit, I agree but for ISATAP I see
the source address check as a MAY and the destination address
check as a SHOULD.
The two following scenarios show in my understanding that ISATAP
routers SHOULD check Source addresses of packets they receive in IPv6:
SCENARIO 1: between two ISATAP routers A and B
ISATAP router A receives in IPv6:
Dst6 = </96 prefix of ISATAP router A> . <IPv4 address of ISATAP
router B>
Src6 = </96 prefix of ISATAP router B> . <IPv4 address of ISATAP
router A>
If ISATAP router A doesn't discard the packet because of its
source address, it will encapsulate it with:
Dst4 = <IPv4 address of ISATAP router B>
Src4 = <IPv4 address of ISATAP router A>
Then, ISATAP router B finds that Src6 and Src4 are consistent, and
forwards the IPv6 packet to ISATAP router A.
The routing loop is in place.
SCENARIO 2: between an ISATAP router and a 6to4 relay router
The ISATAP router receives in IPv6:
Dst6 = </96 prefix of the ISATAP router> . <IPv4 address of the
6to4 relay>
Src6 = 2002::/16 . <IPv4 address of the ISATAP router>
If it doesn't discard the packet because of its source address, it
will encapsulate it with:
Dst4 = <IPv4 address of the 6to4 relay>
Src4 = <IPv4 address of the ISATAP router>
Then, the 6to4 relay finds that Src6 and Src4 are consistent, and
forwards the IPv6 packet to the ISATAP router.
The routing loop is in place.
Anything missing?
Regards,
RD
--------------------------------------------------------------------
IETF IPv6 working group mailing list
ipv6@ietf.org
Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6
--------------------------------------------------------------------