Browse Prior Art Database

Security Considerations for 6to4 (RFC3964)

IP.com Disclosure Number: IPCOM000033255D
Original Publication Date: 2004-Dec-01
Included in the Prior Art Database: 2004-Dec-02
Document File: 42 page(s) / 84K

Publishing Venue

Internet Society Requests For Comment (RFCs)

Related People

P. Savola: AUTHOR [+2]

Abstract

The IPv6 interim mechanism 6to4 (RFC3056) uses automatic IPv6-over-IPv4 tunneling to interconnect IPv6 networks. The architecture includes 6to4 routers and 6to4 relay routers, which accept and decapsulate IPv4 protocol-41 ("IPv6-in-IPv4") traffic from any node in the IPv4 internet. This characteristic enables a number of security threats, mainly Denial of Service. It also makes it easier for nodes to spoof IPv6 addresses. This document discusses these issues in more detail and suggests enhancements to alleviate the problems.

This text was extracted from an ASCII text file.
This is the abbreviated version, containing approximately 4% of the total text.

Network Working Group                                          P. Savola

Request for Comments: 3964                                     CSC/FUNET

Category: Informational                                         C. Patel

                                                       All Play, No Work

                                                           December 2004

                    Security Considerations for 6to4

Status of this Memo

   This memo provides information for the Internet community.  It does

   not specify an Internet standard of any kind.  Distribution of this

   memo is unlimited.

Copyright Notice

   Copyright (C) The Internet Society (2004).

Abstract

   The IPv6 interim mechanism 6to4 (RFC3056) uses automatic

   IPv6-over-IPv4 tunneling to interconnect IPv6 networks.  The

   architecture includes 6to4 routers and 6to4 relay routers, which

   accept and decapsulate IPv4 protocol-41 ("IPv6-in-IPv4") traffic from

   any node in the IPv4 internet.  This characteristic enables a number

   of security threats, mainly Denial of Service.  It also makes it

   easier for nodes to spoof IPv6 addresses.  This document discusses

   these issues in more detail and suggests enhancements to alleviate

   the problems.

Savola & Patel               Informational                      [Page 1]

RFC 3964            Security Considerations for 6to4       December 2004

Table of Contents

   1.  Introduction . . . . . . . . . . . . . . . . . . . . . . . . .  3

   2.  Different 6to4 Forwarding Scenarios  . . . . . . . . . . . . .  4

       2.1.  From 6to4 to 6to4  . . . . . . . . . . . . . . . . . . .  4

       2.2.  From Native to 6to4  . . . . . . . . . . . . . . . . . .  5

       2.3.  From 6to4 to Native  . . . . . . . . . . . . . . . . . .  5

       2.4.  Other Models . . . . . . . . . . . . . . . . . . . . . .  6

             2.4.1.  BGP between 6to4 Routers and Relays  . . . . . .  6

             2.4.2.  6to4 as an Optimization Method . . . . . . . . .  7

             2.4.3.  6to4 as Tunnel End-Point Addressing Mechanism . . 8

   3.  Functionalities of 6to4 Network Components . . . . . . . . . .  9

       3.1.  6to4 Routers . . . . . . . . . . . . . . . . . . . . . .  9

       3.2.  6to4 Relay Routers . . . . . . . . . . . . . . . . . . . 10

   4.  Threat Analysis  . . . . . . . . . . . . . . . . . . . . . . . 11

       4.1.  Attacks on 6to4 Networks . . . . . . . . . . . . . . . . 12

             4.1.1.  Attacks with ND Messages . . . . . . . . . . . . 13

             4.1.2.  Spoofi...