RE: [BEHAVE] Perils of structured host identifiers
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: [BEHAVE] Perils of structured host identifiers
> -----Original Message-----
> From: Iljitsch van Beijnum [mailto:iljitsch at muada.com]
> Sent: Monday, July 20, 2009 7:57 AM
> To: Dave Thaler
> Cc: Christian Huitema; Xing Li; 6man; Behave WG
> Subject: Re: [BEHAVE] Perils of structured host identifiers
>
> On 17 jul 2009, at 20:29, Dave Thaler wrote:
>
> >> In the NAT64 case that would mean that a fake NAT64
> >> tries to spoof the source addresses (that encode IPv4 addresses) of
> >> the real NAT64.
>
> > Now you lost me. If a NAT64 (whether stateless or stateful) uses
> > a CGA, then it can be validated as being the legitimate source of
> > an IPv6 packet (that was translated from IPv4). Another IPv6
> > source cannot spoof such traffic.
>
> This can arguably be useful if the first packet originates from the
> real or fake NAT64. But that would be rare, the first packet comes
> from the client host. If this host can be tricked into sending packets
> to the fake NAT64, there's not much point in doing a CGA check for the
> return traffic: even if the client knows the traffic is fake the fact
> that the traffic was directed to the fake NAT64 in the first place
> creates a successful denial of service.
Sounds like we're in sync now. We agree it can be arguably useful
in cases that may not be important, because of the vulnerabilities
that still exist on the IPv4 side.
-Dave
Note: Messages sent to this list are the opinions of the senders and do not imply endorsement by the IETF.
