[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

securing 6bone tunnels

	as I have been worried, there's traffic injection tools (attack tool)
	for 6bone endpoints: http://www.pkcrew.org/tools.html.  bad guys
	can inject fabricated IPv6 traffic without even paticipating to 6bone,
	if he knows a pair of 6bone tunnel endpoint address, and it will be
	harder to track the bad guy down as tunnel decapsulation will lose
	information on the outer header fields.

	to avoid attacks, I would like to encourage 6bone tunnel operators
	to establish IPv4 transport-mode AH (or IPv6-over-IPv4 tunnel
	mode AH) relationship with your peer.  how to do this is implementation
	dependent.  for KAME-based platforms, you'd need to get the latest
	KAME tree from ftp://ftp.kame.net/pub/kame/snap/ (*BSD releases
	do not have enough policy checking code).