Brian, > -----Original Message----- > From: Brian E Carpenter [mailto:brian.e.carpen...@gmail.com] > Sent: Monday, September 14, 2009 9:03 PM > To: Templin, Fred L > Cc: v6ops; Christian Huitema; ipv6@ietf.org; sec...@ietf.org > Subject: Re: Routing loop attacks using IPv6 tunnels > > On 2009-09-15 04:25, Templin, Fred L wrote: > > Brian, > > > >> -----Original Message----- > >> From: Brian E Carpenter [mailto:brian.e.carpen...@gmail.com] > >> Sent: Friday, September 11, 2009 6:27 PM > >> To: Templin, Fred L > >> Cc: v6ops; Christian Huitema; ipv6@ietf.org; sec...@ietf.org > >> Subject: Re: Routing loop attacks using IPv6 tunnels > >> > >> On 2009-09-12 11:12, Templin, Fred L wrote: > >>> Brian, > >>> > >>>> -----Original Message----- > >>>> From: Brian E Carpenter [mailto:brian.e.carpen...@gmail.com] > >>>> Sent: Friday, September 11, 2009 4:06 PM > >>>> To: Templin, Fred L > >>>> Cc: Christian Huitema; v6ops; ipv6@ietf.org; sec...@ietf.org > >>>> Subject: Re: Routing loop attacks using IPv6 tunnels > >>>> > >>>> On 2009-09-12 09:13, Templin, Fred L wrote: > >>>> > >>>> (much text deleted) > >>>> > >>>>> Otherwise, the best solution IMHO > >>>>> would be to allow only routers (and not hosts) on the > >>>>> virtual links. > >>>> This was of course the original intention for 6to4, so > >>>> that any misconfiguration issues could be limited to presumably > >>>> trusted staff and boxes. Unfortunately, reality has turned out > >>>> to be different, with host-based automatic tunnels becoming > >>>> popular. > >>> Thanks. I was rethinking this a bit after sending, and > >>> I may have been too premature in saying routers only > >>> and not hosts. > >>> > >>> What I would rather have said was that mechanisms such as > >>> SEcure Neighbor Discovery (SEND) may be helpful in private > >>> addressing domains where spoofing is possible. Let me know > >>> if this makes sense. > >> Except for the practical problems involved in deploying SEND. > > > > Can it be said that there is any appreciable operational > > experience with SEND yet? Are there implementations? > > I'd like to know that too. > > > > >> We still have an issue in unmanaged networks. > > > > By "unmanaged", how unmanaged do you mean? > > I was thinking of home networks, the kind where Teredo or > 6to4 starts up spontaneously. Probably not a concern for > ISATAP sites.
OK, thanks for the clarification. I think you probably mean home networks where the home gateway has not yet been turned into an ISATAP router - else, it would be a managed network. Does that sound right? Fred fred.l.temp...@boeing.com > Brian > > > ISATAP is > > intended for networks where there is at least some modicum > > of cooperative management. We want that it can also be used > > in "loosly" managed networks where there is an overall mutual > > spirit of cooperation but where site-internal link-layer > > address spoofing may still be possible. Can SEND be used > > for that, or do we need something else in addition (e.g., > > a nonce with every message)? > > > > Thanks - Fred > > fred.l.temp...@boeing.com > > > >> Brian > >> -------------------------------------------------------------------- > >> IETF IPv6 working group mailing list > >> ipv6@ietf.org > >> Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6 > >> -------------------------------------------------------------------- > > > -------------------------------------------------------------------- > IETF IPv6 working group mailing list > ipv6@ietf.org > Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6 > -------------------------------------------------------------------- -------------------------------------------------------------------- IETF IPv6 working group mailing list ipv6@ietf.org Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6 --------------------------------------------------------------------
