Re: Routing loop attacks using IPv6 tunnels

Fri, 04 Sep 2009 10:06:12 -0700 

Comment below

Le 3 sept. 09 à 17:59, Templin, Fred L a écrit :


Gabi,


-----Original Message-----
From: Gabi Nakibly [mailto:gnaki...@yahoo.com]
Sent: Thursday, September 03, 2009 8:00 AM
To: Templin, Fred L; v6ops
Cc: ipv6@ietf.org; sec...@ietf.org
Subject: Re: Routing loop attacks using IPv6 tunnels

Hi Fred,
see inline.

Gabi

----- Original Message ----

From: "Templin, Fred L" <fred.l.temp...@boeing.com>
To: Gabi Nakibly <gnaki...@yahoo.com>; v6ops <v6...@ops.ietf.org>
Cc: ipv6@ietf.org; sec...@ietf.org
Sent: Tuesday, September 1, 2009 6:49:56 PM
Subject: RE: Routing loop attacks using IPv6 tunnels

Gabi,


-----Original Message-----
From: Gabi Nakibly [mailto:gnaki...@yahoo.com]
Sent: Monday, August 31, 2009 12:41 PM
To: Templin, Fred L; v6ops
Cc: ipv6@ietf.org; sec...@ietf.org
Subject: Re: Routing loop attacks using IPv6 tunnels

Fred,
I agree that the source address check discussed below should be made. I would 
also add a forth
check to mitigate attack #3 as a second layer of defense in case the opposite 
ISATAP router does not

make the proper check on the destination address.

isatap_xmt() {
     ...
     if (src == "<foreign prefix>::0200:5efe:<my IP address>")
       drop_pkt(); /* attack #3 mitigation */
     ...
 }


Having thought about it a bit, I agree but for ISATAP I see
the source address check as a MAY and the destination address
check as a SHOULD.
The two following scenarios show in my understanding that ISATAP routers SHOULD check Source addresses of packets they receive in IPv6: 

SCENARIO 1: between two ISATAP routers A and B

  ISATAP router A receives in IPv6:
Dst6 = </96 prefix of ISATAP router A> . <IPv4 address of ISATAP router B> Src6 = </96 prefix of ISATAP router B> . <IPv4 address of ISATAP router A>
If ISATAP router A doesn't discard the packet because of its source address, it will encapsulate it with: 
  Dst4 = <IPv4 address of ISATAP router B>
  Src4 = <IPv4 address of ISATAP router A>
Then, ISATAP router B finds that Src6 and Src4 are consistent, and forwards the IPv6 packet to ISATAP router A. 
  The routing loop is in place.

SCENARIO 2: between an ISATAP router and a 6to4 relay router

  The ISATAP router receives in IPv6:
Dst6 = </96 prefix of the ISATAP router> . <IPv4 address of the 6to4 relay> 
  Src6 = 2002::/16 . <IPv4 address of the ISATAP router>
If it doesn't discard the packet because of its source address, it will encapsulate it with: 
  Dst4 = <IPv4 address of the 6to4 relay>
  Src4 = <IPv4 address of the ISATAP router>
Then, the 6to4 relay finds that Src6 and Src4 are consistent, and forwards the IPv6 packet to the ISATAP router. 
  The routing loop is in place.

Anything missing?

Regards,
RD


--------------------------------------------------------------------
IETF IPv6 working group mailing list
ipv6@ietf.org
Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6
--------------------------------------------------------------------

Reply via email to