Re: [secdir] Routing loop attacks using IPv6 tunnels

"Templin, Fred L" <Fred.L.Templin@boeing.com> Fri, 11 September 2009 23:11 UTC

Return-Path: <Fred.L.Templin@boeing.com>
X-Original-To: secdir@core3.amsl.com
Delivered-To: secdir@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 86F093A67E9; Fri, 11 Sep 2009 16:11:51 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.953
X-Spam-Level:
X-Spam-Status: No, score=-5.953 tagged_above=-999 required=5 tests=[AWL=0.646, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id k7b4rfgZRKo8; Fri, 11 Sep 2009 16:11:50 -0700 (PDT)
Received: from blv-smtpout-01.boeing.com (blv-smtpout-01.boeing.com [130.76.32.69]) by core3.amsl.com (Postfix) with ESMTP id BB2383A67C0; Fri, 11 Sep 2009 16:11:50 -0700 (PDT)
Received: from slb-av-01.boeing.com (slb-av-01.boeing.com [129.172.13.4]) by blv-smtpout-01.ns.cs.boeing.com (8.14.0/8.14.0/8.14.0/SMTPOUT) with ESMTP id n8BNCPbZ023435 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Fri, 11 Sep 2009 16:12:25 -0700 (PDT)
Received: from slb-av-01.boeing.com (localhost [127.0.0.1]) by slb-av-01.boeing.com (8.14.0/8.14.0/DOWNSTREAM_RELAY) with ESMTP id n8BNCO3j006358; Fri, 11 Sep 2009 16:12:25 -0700 (PDT)
Received: from XCH-NWBH-11.nw.nos.boeing.com (xch-nwbh-11.nw.nos.boeing.com [130.247.55.84]) by slb-av-01.boeing.com (8.14.0/8.14.0/UPSTREAM_RELAY) with ESMTP id n8BNCOAG006348; Fri, 11 Sep 2009 16:12:24 -0700 (PDT)
Received: from XCH-NW-7V2.nw.nos.boeing.com ([130.247.54.35]) by XCH-NWBH-11.nw.nos.boeing.com with Microsoft SMTPSVC(6.0.3790.3959); Fri, 11 Sep 2009 16:12:24 -0700
X-MimeOLE: Produced By Microsoft Exchange V6.5
Content-class: urn:content-classes:message
MIME-Version: 1.0
Content-Type: text/plain; charset="US-ASCII"
Content-Transfer-Encoding: quoted-printable
Date: Fri, 11 Sep 2009 16:12:23 -0700
Message-ID: <39C363776A4E8C4A94691D2BD9D1C9A106624BD7@XCH-NW-7V2.nw.nos.boeing.com>
In-Reply-To: <4AAAD7C1.2060709@gmail.com>
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
Thread-Topic: Routing loop attacks using IPv6 tunnels
Thread-Index: AcozNGy6F16fZ23NSUGAC73Px33uTwAAGQPw
References: <31484.26522.qm@web45503.mail.sp1.yahoo.com> <39C363776A4E8C4A94691D2BD9D1C9A106555B38@XCH-NW-7V2.nw.nos.boeing.com> <373420.97768.qm@web45509.mail.sp1.yahoo.com> <39C363776A4E8C4A94691D2BD9D1C9A106599177@XCH-NW-7V2.nw.nos.boeing.com> <342868.34354.qm@web45502.mail.sp1.yahoo.com> <39C363776A4E8C4A94691D2BD9D1C9A1065D7CB7@XCH-NW-7V2.nw.nos.boeing.com> <6B55F0F93C3E9D45AF283313B8D342BA0440F47F@TK5EX14MBXW652.wingroup.windeploy.ntdev.microsoft.com> <702481.50824.qm@web45515.mail.sp1.yahoo.com> <39C363776A4E8C4A94691D2BD9D1C9A1065D80A0@XCH-NW-7V2.nw.nos.boeing.com> <309242.20809.qm@web45513.mail.sp1.yahoo.com><39C363776A4E8C4A94691D2BD9D1C9A106624B24@XCH-NW-7V2.nw.nos.boeing.com> <4AAAD7C1.2060709@gmail.com>
From: "Templin, Fred L" <Fred.L.Templin@boeing.com>
To: "Brian E Carpenter" <brian.e.carpenter@gmail.com>
X-OriginalArrivalTime: 11 Sep 2009 23:12:24.0839 (UTC) FILETIME=[52C4C170:01CA3335]
Cc: v6ops <v6ops@ops.ietf.org>, Christian Huitema <huitema@microsoft.com>, ipv6@ietf.org, secdir@ietf.org
Subject: Re: [secdir] Routing loop attacks using IPv6 tunnels
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 11 Sep 2009 23:11:51 -0000

Brian,

> -----Original Message-----
> From: Brian E Carpenter [mailto:brian.e.carpenter@gmail.com]
> Sent: Friday, September 11, 2009 4:06 PM
> To: Templin, Fred L
> Cc: Christian Huitema; v6ops; ipv6@ietf.org; secdir@ietf.org
> Subject: Re: Routing loop attacks using IPv6 tunnels
> 
> On 2009-09-12 09:13, Templin, Fred L wrote:
> 
> (much text deleted)
> 
> > Otherwise, the best solution IMHO
> > would be to allow only routers (and not hosts) on the
> > virtual links.
> 
> This was of course the original intention for 6to4, so
> that any misconfiguration issues could be limited to presumably
> trusted staff and boxes. Unfortunately, reality has turned out
> to be different, with host-based automatic tunnels becoming
> popular.

Thanks. I was rethinking this a bit after sending, and
I may have been too premature in saying routers only
and not hosts.

What I would rather have said was that mechanisms such as
SEcure Neighbor Discovery (SEND) may be helpful in private
addressing domains where spoofing is possible. Let me know
if this makes sense.

Fred
fred.l.templin@boeing.com 

> 
>      Brian
> 
> --------------------------------------------------------------------
> IETF IPv6 working group mailing list
> ipv6@ietf.org
> Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6
> --------------------------------------------------------------------