Re: [BEHAVE] Perils of structured host identifiers

To: Dave Thaler <dthaler at microsoft.com>
Subject: Re: [BEHAVE] Perils of structured host identifiers
From: Iljitsch van Beijnum <iljitsch at muada.com>
Date: Mon, 20 Jul 2009 16:56:56 +0200
Cc: Christian Huitema <huitema at microsoft.com>, Xing Li <xing at cernet.edu.cn>, Behave WG <behave at ietf.org>, 6man <ipv6 at ietf.org>
Delivered-to: ipv6 at core3.amsl.com
In-reply-to: <E4561B14EE2A3E4E9D478EBFB5416E1B0F9467 at TK5EX14MBXW651.wingroup.windeploy.ntdev.microsoft.com>
List-archive: <http://www.ietf.org/mail-archive/web/ipv6>
List-help: <mailto:ipv6-request@ietf.org?subject=help>
List-id: "IPv6 Maintenance Working Group \(6man\)" <ipv6.ietf.org>
List-post: <mailto:ipv6@ietf.org>
List-subscribe: <https://www.ietf.org/mailman/listinfo/ipv6>, <mailto:ipv6-request@ietf.org?subject=subscribe>
List-unsubscribe: <https://www.ietf.org/mailman/listinfo/ipv6>, <mailto:ipv6-request@ietf.org?subject=unsubscribe>
References: <E4561B14EE2A3E4E9D478EBFB5416E1B0A2F5A at TK5EX14MBXW651.wingroup.windeploy.ntdev.microsoft.com> <18256DC3-184D-48FE-B37C-2F9867597304 at free.fr> <E4561B14EE2A3E4E9D478EBFB5416E1B0A5745 at TK5EX14MBXW651.wingroup.windeploy.ntdev.microsoft.com> <EB331E19-8164-4805-A412-4686D16C955F at free.fr> <4A4F5F9A.40202 at gmail.com> <268554C4-E415-492E-B950-4B9531F53CEA at free.fr> <6B55F0F93C3E9D45AF283313B8D342BA0436FB0A at TK5EX14MBXW652.wingroup.windeploy.ntdev.microsoft.com> <4A524FE3.8070101 at it.uc3m.es> <204533CC-5DEE-47DD-A2CD-CF1EC41A4679 at muada.com> <E4561B14EE2A3E4E9D478EBFB5416E1B0C1A9A at TK5EX14MBXW651.wingroup.windeploy.ntdev.microsoft.com> <2BAEB3B6-3FAE-4396-B568-6E71D012029F at muada.com> <E4561B14EE2A3E4E9D478EBFB5416E1B0F9467 at TK5EX14MBXW651.wingroup.windeploy.ntdev.microsoft.com>

On 17 jul 2009, at 20:29, Dave Thaler wrote:

In the NAT64 case that would mean that a fake NAT64
tries to spoof the source addresses (that encode IPv4 addresses) of
the real NAT64.

Now you lost me.  If a NAT64 (whether stateless or stateful) uses
a CGA, then it can be validated as being the legitimate source of
an IPv6 packet (that was translated from IPv4).  Another IPv6
source cannot spoof such traffic.

This can arguably be useful if the first packet originates from thereal or fake NAT64. But that would be rare, the first packet comesfrom the client host. If this host can be tricked into sending packetsto the fake NAT64, there's not much point in doing a CGA check for thereturn traffic: even if the client knows the traffic is fake the factthat the traffic was directed to the fake NAT64 in the first placecreates a successful denial of service.

Follow-Ups:
- RE: [BEHAVE] Perils of structured host identifiers
  - From: Dave Thaler

References:
- Re: [BEHAVE] Modified EUI-64 format
  - From: Rémi Després
- Re: [BEHAVE] Modified EUI-64 format
  - From: Brian E Carpenter
- Re: [BEHAVE] Modified EUI-64 format
  - From: Rémi Després
- Perils of structured host identifiers (was: Modified EUI-64 format)
  - From: Christian Huitema
- Re: [BEHAVE] Perils of structured host identifiers
  - From: marcelo bagnulo braun
- Re: [BEHAVE] Perils of structured host identifiers
  - From: Iljitsch van Beijnum
- RE: [BEHAVE] Perils of structured host identifiers
  - From: Dave Thaler
- Re: [BEHAVE] Perils of structured host identifiers
  - From: Iljitsch van Beijnum
- RE: [BEHAVE] Perils of structured host identifiers
  - From: Dave Thaler

Prev by Date: RE: [BEHAVE] Perils of structured host identifiers
Next by Date: RE: [BEHAVE] Perils of structured host identifiers
Previous by thread: RE: [BEHAVE] Perils of structured host identifiers
Next by thread: RE: [BEHAVE] Perils of structured host identifiers
Index(es):
- Date
- Thread

Re: [BEHAVE] Perils of structured host identifiers

Note: Messages sent to this list are the opinions of the senders and do not imply endorsement by the IETF.