securing 6bone tunnels

Jun-ichiro itojun Hagino itojun@iijlab.net
Fri, 09 Mar 2001 16:50:25 +0900

Previous message: 6bone stats and tools webpage links cleanup
Next message: securing 6bone tunnels
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

	as I have been worried, there's traffic injection tools (attack tool)
	for 6bone endpoints: http://www.pkcrew.org/tools.html.  bad guys
	can inject fabricated IPv6 traffic without even paticipating to 6bone,
	if he knows a pair of 6bone tunnel endpoint address, and it will be
	harder to track the bad guy down as tunnel decapsulation will lose
	information on the outer header fields.

	to avoid attacks, I would like to encourage 6bone tunnel operators
	to establish IPv4 transport-mode AH (or IPv6-over-IPv4 tunnel
	mode AH) relationship with your peer.  how to do this is implementation
	dependent.  for KAME-based platforms, you'd need to get the latest
	KAME tree from ftp://ftp.kame.net/pub/kame/snap/ (*BSD releases
	do not have enough policy checking code).

itojun

Previous message: 6bone stats and tools webpage links cleanup
Next message: securing 6bone tunnels
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]