Re: [secdir] Routing loop attacks using IPv6 tunnels

Brian E Carpenter <brian.e.carpenter@gmail.com> Fri, 11 September 2009 23:05 UTC

Return-Path: <brian.e.carpenter@gmail.com>
X-Original-To: secdir@core3.amsl.com
Delivered-To: secdir@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 4413828C1A1; Fri, 11 Sep 2009 16:05:10 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.174
X-Spam-Level:
X-Spam-Status: No, score=-2.174 tagged_above=-999 required=5 tests=[AWL=0.426, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ETZbuyF5A4ul; Fri, 11 Sep 2009 16:05:09 -0700 (PDT)
Received: from mail-pz0-f195.google.com (mail-pz0-f195.google.com [209.85.222.195]) by core3.amsl.com (Postfix) with ESMTP id 7F8503A67AD; Fri, 11 Sep 2009 16:05:09 -0700 (PDT)
Received: by pzk33 with SMTP id 33so1208991pzk.24 for <multiple recipients>; Fri, 11 Sep 2009 16:05:45 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:from :organization:user-agent:mime-version:to:cc:subject:references :in-reply-to:content-type:content-transfer-encoding; bh=IU7NyYe/2MLeCQZAs16cpCFny5s1iSpP6xrZPO0/XJc=; b=Z5DeIaHIYLM7NKnaWBAUJqzR8kttbnj2oHm8S4MwJwYD+50dq9f/Mr7yRYNkx7xfD2 hlr9YRkosrJBZdbe2n1vSLY5XDHdmBwGN557iFWs2IJm1XdoHgucGXGwq5isGF92bORD ndIc0Rf8laLjSoyyk81oKAQoHPazE1VV2C0HM=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:organization:user-agent:mime-version:to:cc :subject:references:in-reply-to:content-type :content-transfer-encoding; b=owcZ++Xg2IK8tB7nm/qzGvpyDTz9WUyN4rsectgmD/qFeT45RCX7rOVLVDVUwhd07c uMEl5mxE/HeOL6PTnwK2AijbcE++OYuwePa543c3hgjbTMiEibYUrT4ZcIItsMnLSjtP harUdoT5anZ60VXnycr1tDOmuSHCbbHU/y+6c=
Received: by 10.115.80.14 with SMTP id h14mr6396722wal.133.1252710345015; Fri, 11 Sep 2009 16:05:45 -0700 (PDT)
Received: from ?10.1.1.4? (118-92-111-74.dsl.dyn.ihug.co.nz [118.92.111.74]) by mx.google.com with ESMTPS id 20sm2581141pzk.13.2009.09.11.16.05.41 (version=SSLv3 cipher=RC4-MD5); Fri, 11 Sep 2009 16:05:44 -0700 (PDT)
Message-ID: <4AAAD7C1.2060709@gmail.com>
Date: Sat, 12 Sep 2009 11:05:37 +1200
From: Brian E Carpenter <brian.e.carpenter@gmail.com>
Organization: University of Auckland
User-Agent: Thunderbird 2.0.0.6 (Windows/20070728)
MIME-Version: 1.0
To: "Templin, Fred L" <Fred.L.Templin@boeing.com>
References: <31484.26522.qm@web45503.mail.sp1.yahoo.com> <39C363776A4E8C4A94691D2BD9D1C9A106555B38@XCH-NW-7V2.nw.nos.boeing.com> <373420.97768.qm@web45509.mail.sp1.yahoo.com> <39C363776A4E8C4A94691D2BD9D1C9A106599177@XCH-NW-7V2.nw.nos.boeing.com> <342868.34354.qm@web45502.mail.sp1.yahoo.com> <39C363776A4E8C4A94691D2BD9D1C9A1065D7CB7@XCH-NW-7V2.nw.nos.boeing.com> <6B55F0F93C3E9D45AF283313B8D342BA0440F47F@TK5EX14MBXW652.wingroup.windeploy.ntdev.microsoft.com> <702481.50824.qm@web45515.mail.sp1.yahoo.com> <39C363776A4E8C4A94691D2BD9D1C9A1065D80A0@XCH-NW-7V2.nw.nos.boeing.com> <309242.20809.qm@web45513.mail.sp1.yahoo.com> <39C363776A4E8C4A94691D2BD9D1C9A106624B24@XCH-NW-7V2.nw.nos.boeing.com>
In-Reply-To: <39C363776A4E8C4A94691D2BD9D1C9A106624B24@XCH-NW-7V2.nw.nos.boeing.com>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: 7bit
Cc: Gabi Nakibly <gnakibly@yahoo.com>, Christian Huitema <huitema@microsoft.com>, v6ops <v6ops@ops.ietf.org>, ipv6@ietf.org, secdir@ietf.org
Subject: Re: [secdir] Routing loop attacks using IPv6 tunnels
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 11 Sep 2009 23:05:10 -0000

On 2009-09-12 09:13, Templin, Fred L wrote:

(much text deleted)

> Otherwise, the best solution IMHO
> would be to allow only routers (and not hosts) on the
> virtual links. 

This was of course the original intention for 6to4, so
that any misconfiguration issues could be limited to presumably
trusted staff and boxes. Unfortunately, reality has turned out
to be different, with host-based automatic tunnels becoming
popular.

     Brian