Difference between revisions of "RFC3964"

Revision as of 15:31, 24 September 2020

Network Working Group P. Savola Request for Comments: 3964 CSC/FUNET Category: Informational C. Patel

                                                   All Play, No Work
                                                       December 2004

                Security Considerations for 6to4

Status of this Memo

This memo provides information for the Internet community. It does not specify an Internet standard of any kind. Distribution of this memo is unlimited.

Copyright Notice

Copyright (C) The Internet Society (2004).

Abstract

The IPv6 interim mechanism 6to4 (RFC3056) uses automatic IPv6-over-IPv4 tunneling to interconnect IPv6 networks. The architecture includes 6to4 routers and 6to4 relay routers, which accept and decapsulate IPv4 protocol-41 ("IPv6-in-IPv4") traffic from any node in the IPv4 internet. This characteristic enables a number of security threats, mainly Denial of Service. It also makes it easier for nodes to spoof IPv6 addresses. This document discusses these issues in more detail and suggests enhancements to alleviate the problems.

Table of Contents

1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3 2. Different 6to4 Forwarding Scenarios . . . . . . . . . . . . . 4

   2.1.  From 6to4 to 6to4  . . . . . . . . . . . . . . . . . . .  4
   2.2.  From Native to 6to4  . . . . . . . . . . . . . . . . . .  5
   2.3.  From 6to4 to Native  . . . . . . . . . . . . . . . . . .  5
   2.4.  Other Models . . . . . . . . . . . . . . . . . . . . . .  6
         2.4.1.  BGP between 6to4 Routers and Relays  . . . . . .  6
         2.4.2.  6to4 as an Optimization Method . . . . . . . . .  7
         2.4.3.  6to4 as Tunnel End-Point Addressing Mechanism . . 8

3. Functionalities of 6to4 Network Components . . . . . . . . . . 9

   3.1.  6to4 Routers . . . . . . . . . . . . . . . . . . . . . .  9
   3.2.  6to4 Relay Routers . . . . . . . . . . . . . . . . . . . 10

4. Threat Analysis . . . . . . . . . . . . . . . . . . . . . . . 11

   4.1.  Attacks on 6to4 Networks . . . . . . . . . . . . . . . . 12
         4.1.1.  Attacks with ND Messages . . . . . . . . . . . . 13
         4.1.2.  Spoofing Traffic to 6to4 Nodes . . . . . . . . . 14
         4.1.3.  Reflecting Traffic to 6to4 Nodes . . . . . . . . 17
         4.1.4.  Local IPv4 Broadcast Attack  . . . . . . . . . . 19
   4.2.  Attacks on Native IPv6 Internet  . . . . . . . . . . . . 20
         4.2.1.  Attacks with ND Messages . . . . . . . . . . . . 21
         4.2.2.  Spoofing Traffic to Native IPv6 Nodes. . . . . . 21
         4.2.3.  Reflecting Traffic to Native IPv6 Nodes  . . . . 23
         4.2.4.  Local IPv4 Broadcast Attack  . . . . . . . . . . 24
         4.2.5.  Theft of Service . . . . . . . . . . . . . . . . 25
         4.2.6.  Relay Operators Seen as Source of Abuse  . . . . 26
   4.3.  Attacks on IPv4 Internet . . . . . . . . . . . . . . . . 28
   4.4.  Summary of the Attacks . . . . . . . . . . . . . . . . . 28

5. Implementing Proper Security Checks in 6to4 . . . . . . . . . 30

   5.1.  Encapsulating IPv6 into IPv4 . . . . . . . . . . . . . . 31
   5.2.  Decapsulating IPv4 into IPv6 . . . . . . . . . . . . . . 31
   5.3.  IPv4 and IPv6 Sanity Checks  . . . . . . . . . . . . . . 32
         5.3.1.  IPv4 . . . . . . . . . . . . . . . . . . . . . . 32
         5.3.2.  IPv6 . . . . . . . . . . . . . . . . . . . . . . 33
         5.3.3.  Optional Ingress Filtering . . . . . . . . . . . 33
         5.3.4.  Notes about the Checks . . . . . . . . . . . . . 33

6. Issues in 6to4 Implementation and Use . . . . . . . . . . . . 34

   6.1.  Implementation Considerations with Automatic Tunnels . . 34
   6.2.  A Different Model for 6to4 Deployment  . . . . . . . . . 35

7. Security Considerations . . . . . . . . . . . . . . . . . . . 36 8. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 36 9. References . . . . . . . . . . . . . . . . . . . . . . . . . . 37 A. Some Trivial Attack Scenarios Outlined . . . . . . . . . . . . 39 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 40 Full Copyright Statement . . . . . . . . . . . . . . . . . . . . . 41

1 Introduction
2 Different 6to4 Forwarding Scenarios
3 Functionalities of 6to4 Network Components
- 3.1 6to4 Routers
- 3.2 6to4 Relay Routers
4 Threat Analysis
5 Implementing Proper Security Checks in 6to4
6 Issues in 6to4 Implementation and Use
- 6.1 Implementation Considerations with Automatic Tunnels
- 6.2 A Different Model for 6to4 Deployment
7 Security Considerations
8 Acknowledgments
9 References
- 9.1 Normative References
- 9.2 Informative References

Introduction

The IPv6 interim mechanism "6to4" [1] specifies automatic IPv6-over-IPv4 tunneling to interconnect isolated IPv6 clouds by embedding the tunnel IPv4 address in the IPv6 6to4 prefix.

Two characteristics of the 6to4 mechanism introduce most of the security considerations:

1. All 6to4 routers must accept and decapsulate IPv4 packets from

   every other 6to4 router, and from 6to4 relays.

2. 6to4 relay routers must accept traffic from any native IPv6 node.

As the 6to4 router must accept traffic from any other 6to4 router or relay, a certain requirement for trust is implied, and there are no strict constraints on what the IPv6 packet may contain. Thus, addresses within the IPv4 and IPv6 headers may be spoofed, and this leads to various types of threats, including different flavors of Denial of Service attacks.

The 6to4 specification outlined a few security considerations and rules but was ambiguous as to their exact requirement level. Moreover, the description of the considerations was rather short, and some of them have proven difficult to understand or impossible to implement.

This document analyzes the 6to4 security issues in more detail and outlines some enhancements and caveats.

Sections 2 and 3 are more or less introductory, rehashing how 6to4 is used today based on the 6to4 specification, so that it is easier to understand how security could be affected. Section 4 provides a threat analysis for implementations that already implement most of the security checks. Section 5 describes the optimal decapsulation/encapsulation rules for 6to4 implementations, and Section 6 provides further discussion on a few issues that have proven difficult to implement. Appendix A outlines a few possible trivial attack scenarios in which very little or no security has been implemented.

For the sake of simplicity, in this document, the native Internet is assumed to encompass IPv6 networks formed by using other transition mechanisms (e.g., RFC 2893 [4]), as these mechanisms cannot talk directly to the 6to4 network.

The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14, RFC 2119 [2].

Throughout this memo, IPv4 addresses from blocks 7.0.0.0/24, 8.0.0.0/24, and 9.0.0.0/24 are used for demonstrative purposes, to represent global IPv4 addresses that have no relation to each other. This approach was chosen instead of just using addresses from 192.0.2.0/24 [5] for two reasons: to use addresses whose 6to4 mapping is glaringly obvious, and to make it obvious that the IPv4 addresses of different 6to4 gateways need not have any relation to each other.

Different 6to4 Forwarding Scenarios

Note that when one communicates between 6to4 and native domains, the 6to4 relays that will be used in the two directions are very likely different; routing is highly asymmetric. Because of this, it is not feasible to limit relays from which 6to4 routers may accept traffic.

The first three subsections introduce the most common forms of 6to4 operation. Other models are presented in the fourth subsection.

From 6to4 to 6to4

6to4 domains always exchange 6to4 traffic directly via IPv4 tunneling; the endpoint address V4ADDR is derived from 6to4 prefix 2002:V4ADDR::/48 of the destination.

.--------.           _----_          .--------.
|  6to4  |         _( IPv4 )_        |  6to4  |
| router | <====> ( Internet ) <===> | router |
'--------'         (_      _)        '--------'
    ^                '----'              ^
    |      Direct tunneling over IPv4    |
    V                                    V
.--------.                           .-------.
|  6to4  |                           |  6to4  |
|  host  |                           |  host  |
'--------'                           '--------'

                   Figure 1

It is required that every 6to4 router consider every other 6to4 router it wants to talk to be "on-link" (with IPv4 as the link-layer).

From Native to 6to4

When native domains send traffic to 6to4 prefix 2002:V4ADDR::/48, it will be routed to the topologically nearest advertising 6to4 relay (advertising route to 2002::/16). The 6to4 relay will tunnel the traffic over IPv4 to the corresponding IPv4 address V4ADDR.

Note that IPv4 address 9.0.0.1 here is just an example of a global IPv4 address, and it is assigned to the 6to4 router's pseudo-interface.

                                 Closest to
                             "Native IPv6 node"
.--------.       _----_        .------------.            .--------.
| Native |     _( IPv6 )_      | 6to4 relay |  Tunneled  |  6to4  |
| IPv6   | -> ( Internet ) --> | router     | =========> | router |
| node   |     (_      _)      '------------'   9.0.0.1  '--------'
'--------'       '----'  dst_v6=2002:0900:0001::1            |
                                                             V
                                                         .-------.
                                                         |  6to4  |
                                                         |  host  |
                                                         '--------'

                             Figure 2

From 6to4 to Native

6to4 domains send traffic to native domains by tunneling it over IPv4 to their configured 6to4 relay router, or the closest one found by using 6to4 IPv4 Anycast [3]. The relay will decapsulate the packet and forward it to native IPv6 Internet, as would any other IPv6 packet.

Note that the destination IPv6 address in the packet is a non-6to4 address and is assumed to be 2001:db8::1 in the example.

                                 Configured
                                    -or-
                             found by IPv4 Anycast
.--------.       _----_        .------------.            .--------.
| Native |     _( IPv6 )_      | 6to4 relay |  Tunneled  |  6to4  |
| Client | <- ( Internet ) <-- | router     | <========= | router |
'--------'     (_      _)      '------------' 192.88.99.1'--------'

2001:db8::1 '----' (or configured) ^

                             Figure 3

Other Models

These are more or less special cases of 6to4 operations. In later chapters, unless otherwise stated, only the most generally used models (above) will be considered.

BGP between 6to4 Routers and Relays

Section 5.2.2.2 in [1] presents a model where, instead of static configuration, BGP [6] is used between 6to4 relay routers and 6to4 routers (for outgoing relay selection only).

Going further than [1], if the 6to4 router established a BGP session between all the possible 6to4 relays and advertised its /48 prefix to them, the traffic from non-6to4 sites would always come from a "known" relay. Alternatively, the 6to4 relays might advertise the more specific 6to4 routes between 6to4 relays.

Both of these approaches are obviously infeasible due to scalability issues.

Neither of these models are known to be used at the time of writing; this is probably because parties that need 6to4 are not able to run BGP, and because setting up these sessions would be much more work for relay operators.

6to4 as an Optimization Method

Some sites seem to use 6to4 as an IPv6 connectivity "optimization method"; that is, they also have non-6to4 addresses on their nodes and border routers but also employ 6to4 to reach 6to4 sites.

This is typically done to be able to reach 6to4 destinations by direct tunneling without using relays at all.

These sites also publish both 6to4 and non-6to4 addresses in DNS to affect inbound connections. If the source host's default address selection [7] works properly, 6to4 sources will use 6to4 addresses to reach the site and non-6to4 nodes use non-6to4 addresses. If this behavior of foreign nodes can be assumed, the security threats to such sites can be significantly simplified.

6to4 as Tunnel End-Point Addressing Mechanism

6to4 addresses can also be used only as an IPv6-in-IPv4 tunnel endpoint addressing and routing mechanism.

An example of this is interconnecting 10 branch offices where nodes use non-6to4 addresses. Only the offices' border routers need to be aware of 6to4, and use 6to4 addresses solely for addressing the tunnels between different branch offices. An example is provided in the figure below.

2001:db8:0:10::/60                   2001:db8:0:20::/60
   .--------.                           .--------.
  ( Branch 1 )                         ( Branch 2 )
   '--------'                           '--------'
       |                                     |
   .--------.           _----_          .--------.
   |  6to4  |         _( IPv4 )_        |  6to4  |
   | router | <====> ( Internet ) <===> | router |
   '--------'         (_      _)        '--------'
    9.0.0.1             '----'            8.0.0.2
                          ^^
                          ||
                          vv
                      .--------.
                      |  6to4  | 7.0.0.3
                      | router |
                      '--------'
                          |        2001:db8::/48
                    .-----------.
                   ( Main Office )
                    '-----------'
                          ^
                          |
                          v
                        _----_
                      _( IPv6 )_
                     ( Internet )
                      (_      _)
                        '----'

                             Figure 4

In the figure, the main office sets up two routes:

  2001:db8:0:10::/60 -> 2002:0900:0001::1

  2001:db8:0:20::/60 -> 2002:0800:0002::1

And a branch office sets up two routes as well:

  2001:db8:0:20::/60 -> 2002:0800:0002::1

  default -> 2002:0700:0003::1

Thus, the IPv4 Internet is treated as an NBMA link-layer for interconnecting 6to4-enabled sites; with explicit routes, 6to4 addressing need not be used in routers other than the 6to4 edge routers. However, note that if a branch office sends a packet to any 6to4 destination, it will not go through the main office, as the 6to4 2002::/16 route overrides the default route.

This approach may make addressing and routing slightly easier in some circumstances.

Functionalities of 6to4 Network Components

This section summarizes the main functionalities of the 6to4 network components (6to4 routers, and 6to4 relays) and the security checks they must do. The pseudo-code for the security checks is provided in Section 5.

This section summarizes the main functions of the various components of a 6to4 network: 6to4 relay routers and 6to4 routers. Refer to Section 1.1 of RFC 3056 [1] for 6to4-related definitions.

6to4 Routers

The 6to4 routers act as the border routers of a 6to4 domain. It does not have a native global IPv6 address except in certain special cases. Since the specification [1] uses the term "6to4 router", this memo does the same; however, note that in this definition, we also include a single host with a 6to4 pseudo-interface, which doesn't otherwise act as a router. The main functions of the 6to4 router are as follows:

o Provide IPv6 connectivity to local clients and routers.

o Tunnel packets sent to foreign 6to4 addresses to the destination

  6to4 router using IPv4.

o Forward packets sent to locally configured 6to4 addresses to the

  6to4 network.

o Tunnel packets sent to non-6to4 addresses to the configured/

  closest-by-anycast 6to4 relay router.

o Decapsulate directly received IPv4 packets from foreign 6to4

  addresses.

o Decapsulate IPv4 packets received via the relay closest to the

  native IPv6 sources.  Note that it is not easily distinguishable
  whether the packet was received from a 6to4 relay router or from a
  spoofing third party.

The 6to4 router should also perform security checks on traffic that it receives from other 6to4 relays, or 6to4 routers, or from within the 6to4 site. These checks include the following:

o Disallow traffic that has private, broadcast or certain specific

  reserved IPv4 addresses (see Section 5.3.1 for details) in
  tunnels, or the matching 6to4 prefixes.

o Disallow traffic from 6to4 routers in which the IPv4 tunnel source

  address does not match the 6to4 prefix.  (Note that the
  pseudo-interface must pick the IPv4 address corresponding to the
  prefix when encapsulating, or problems may ensue, e.g., on
  multi-interface routers.)

o Disallow traffic in which the destination IPv6 address is not a

  global address; in particular, link-local addresses, mapped
  addresses, and such should not be used.

o Disallow traffic transmission to other 6to4 domains through 6to4

  relay router or via some third party 6to4 router.  (To avoid
  transmission to the relay router, the pseudo-interface prefix
  length must be configured correctly to /16.  Further, to avoid the
  traffic being discarded, 6to4 source addresses must always
  correspond to the IPv4 address encapsulating the traffic.)

o Discard traffic received from other 6to4 domains via a 6to4 relay

  router.

o Discard traffic received for prefixes other than one's own 6to4

  prefix(es).

6to4 Relay Routers

The 6to4 relay router acts as a relay between all 6to4 domains and native IPv6 networks; more specifically, it

o advertises the reachability of the 2002::/16 prefix to native IPv6

  routing, thus receiving traffic to all 6to4 addresses from the
  closest native IPv6 nodes,

o advertises (if RFC 3068 [3] is implemented) the reachability of

  IPv4 "6to4 relay anycast prefix" (192.88.99.0/24) to IPv4 routing,
  thus receiving some tunneled traffic to native IPv6 nodes from
  6to4 routers.

o decapsulates and forwards packets received from 6to4 addresses

  through tunneling, by using normal IPv6 routing, and

o tunnels packets received through normal IPv6 routing from native

  addresses that are destined for 2002::/16 to the corresponding
  6to4 router.

The 6to4 relay should also perform security checks on traffic that it receives from 6to4 routers, or from native IPv6 nodes. These checks are as follows:

o Disallow traffic that has private, broadcast, or certain specific

  reserved IPv4 addresses in tunnels, or in the matching 6to4
  prefixes.

o Disallow traffic from 6to4 routers in which the IPv4 tunnel source

  address does not match the 6to4 prefix.  (Note that the
  pseudo-interface must pick the IPv4 address corresponding to the
  prefix when encapsulating, or problems may ensue, e.g., on
  multi-interface routers.)

o Disallow traffic in which the destination IPv6 address is not a

  global address; in particular, link-local addresses, mapped
  addresses, and such should not be used.

o Discard traffic received from 6to4 routers with the destination as

  a 6to4 prefix.

Threat Analysis

This section discusses attacks against the 6to4 network or attacks
caused by the 6to4 network.  The threats are discussed in light of
the 6to4 deployment models defined in Section 2.

There are three general types of threats:

1. Denial-of-Service (DoS) attacks, in which a malicious node

   prevents communication between the node under attack and other
   nodes.

2. Reflection Denial-of-Service (DoS) attacks, in which a malicious

   node reflects the traffic off unsuspecting nodes to a particular
   node (node under attack) in order to prevent communication
   between the node under attack and other nodes.

3. Service theft, in which a malicious node/site/operator may make

   unauthorized use of service.

6to4 also provides a means for a "meta-threat", traffic laundering, in which some other attack is channeled through the third parties to make tracing the real origin of the attack more difficult. This is used in conjunction with other threats, whether specific to 6to4 or not.

At this point it is important to reiterate that the attacks are possible because

1. 6to4 routers have to consider all 6to4 relays, and other 6to4

   routers, as "on-link",

2. 6to4 relays have to consider all 6to4 routers as "on-link", and

3. it has been discovered that at least a couple of major 6to4

   implementations do not implement all the security checks.

The attacks' descriptions are classified based on the target of the attack:

1. Attacks on 6to4 networks.

2. Attacks on IPv6 networks.

3. Attacks on IPv4 networks.

Note that one of the mitigation methods listed for various attacks is based on the premise that 6to4 relays could have a feature limiting traffic to/from specific 6to4 sites. At the time of this writing, this feature is speculative, and more work needs to be done to determine the logistics.

Attacks on 6to4 Networks

This section describes attacks against 6to4 networks. Attacks that leverage 6to4 networks, but for which the ultimate victim is elsewhere (e.g., a native IPv6 user, an IPv4 user), are described later in the memo.

6to4 relays and routers are IPv4 nodes, and there is no way for any 6to4 router to confirm the identity of the IPv4 node from which it receives traffic -- whether from a legitimate 6to4 relay or some other node. A 6to4 router has to process traffic from all IPv4 nodes. Malicious IPv4 nodes can exploit this property and attack nodes within the 6to4 network.

It is possible to conduct a variety of attacks on the 6to4 nodes. These attacks are as follows:

1. Attacks with Neighbor Discovery (ND) Messages

2. Spoofing traffic to 6to4 nodes

3. Reflecting traffic from 6to4 nodes

4. Local IPv4 broadcast attack

Attacks with ND Messages

ATTACK DESCRIPTION

Since the 6to4 router assumes that all the other 6to4 routers and 6to4 relays are "on-link", it is possible to attack the 6to4 router by using ND messages from any node in the IPv4 network, unless a prior trust relationship has been established.

The attacks target the 6to4 pseudo-interface. As long as the 6to4 addresses are not used in the source or destination address, the security checks specified by 6to4 take no stance on these packets. Typically they use link-local addresses.

For example, an attack could be a Route Advertisement or Neighbor Advertisement message crafted specifically to cause havoc; the addresses in such a packet could resemble to the following:

src_v6 = fe80::2 (forged address) dst_v6 = fe80::1 (valid or invalid address) src_v4 = 8.0.0.1 (valid or forged address) dst_v4 = 9.0.0.2 (valid address, matches dst_v6)

These attacks are exacerbated if the implementation supports more tunneling mechanisms than 6to4 (or configured tunneling) because it is impossible to disambiguate such mechanisms, making it difficult to enable strict security checks (see Section 6.1).

The Neighbor Discovery threats (Redirect DoS, or DoS) are described in [8]. Note that all attacks may not be applicable, as the 6to4

pseudo-interface is assumed not to have a link-layer address (Section 3.8 RFC 2893 [4]). However, note that the 6to4 router can be either a router or host from the Neighbor Discovery perspective.

THREAT ANALYSIS AND MITIGATION METHODS

The attacks can be mitigated by using any of the following methods:

o The usage of ND messages could be prohibited. This implies that

  all packets using addresses of scope link-local will be silently
  discarded.  Section 3.1 of RFC 3056 [1] leaves scope for future
  uses of link-local address.  This method has its pitfalls: It
  would prohibit any sort of ND message and thus close the doors on
  development and use of other ND options.  Whether this is a
  significant problem is another thing.

o The 6to4 pseudo-interface could be insulated from the other

  interfaces, particularly the other tunnel interfaces (if any), for
  example by using a separate neighbor cache.

o If ND messages are needed, either IPsec [4] or an extension of

  SEND could be used [9] to secure packet exchange using the
  link-local address; vanilla SEND would not work, as the link-layer
  does not have an address -- and IPsec would be rather complex.

COMPARISON TO SITUATION WITHOUT 6to4

Even though rather simply fixed, this attack is not new as such; the same is possible by using automatic tunneling [4] or configured tunneling (if one is able to spoof source IPv4 address to that of the tunnel end-point).

However, as 6to4 provides open decapsulation, and automatic tunneling is being deprecated [10], 6to4 provides an easy means, which would not exist without it.

Spoofing Traffic to 6to4 Nodes

ATTACK DESCRIPTION

The attacker - a malicious IPv4 or IPv6 node - can send packets that are difficult to trace (e.g., due to spoofing or going through a relay) to a 6to4 node. This can be used e.g., to accomplish a DoS attack.

The IPv6 and IPv4 addresses of the packets will be similar to the following:

src_v6 = 2001:db8::1 (forged address) dst_v6 = 2002:0900:0002::1 (valid address) src_v4 = 8.0.0.1 (valid or forged address) dst_v4 = 9.0.0.2 (valid address, matches dst_v6)

For attacks launched from a native IPv6 node, the src_v4 will be the address of the relay through which the traffic will reach the 6to4 node. From IPv4 nodes, src_v4 can be either a spoofed source address or the real one.

The 6to4 router receives these packets from 8.0.0.1, decapsulates them, discards the IPv4 header containing the source address 8.0.0.1, and processes them as normal (the attacker has guessed or obtained "dst_v6" by using one of a number of techniques).

This is a DoS attack on 6to4 nodes.

This attack is similar to those shown in [11].

EXTENSIONS

Replies to the traffic will be directed to the src_v6 address, resulting in 6to4 nodes participating in a reflection DoS. This attack is described in more detail in Section 4.2.3. The replies (e.g., TCP SYN ACK, TCP RST, ICMPv6 Echo Reply, input sent to UDP echo service, ICMPv6 Destination Unreachable) are sent to the victim (src_v6), above. All the traces from the original attacker (src_v4) have been discarded. These return packets will go through a relay.

Certain 6to4 networks may have a trivial ACL (Access Control List) based firewall that allows traffic to pass through if it comes from particular source(s). Such a firewalling mechanism can be bypassed by address spoofing. This attack can therefore be used for trivial ACL avoidance as well. These attacks might be hampered because the replies from the 6to4 node to the spoofed address will be lost.

THREAT ANALYSIS AND SOLUTIONS/MITIGATION METHODS

The Denial-of-Service attack based on traffic spoofing is not new; the only twists come from the fact that traces of an attack are more easily lost, and that spoofing the IPv6 address is possible even to those who are unable to do so in their current networks. The 6to4 router typically does not log IPv4 addresses (as they would be treated as L2 addresses), and thus the source of the attack (if launched from an IPv4 node) is lost. Because traces to the src_v4 address are easily lost, these attacks can also be launched from IPv4 nodes whose connections are ingress-filtered.

However, often this is not a real factor, as usually the attackers are just zombies and real attackers may not even care whether the unspoofed source address is discovered.

Malicious native IPv6 nodes could be caught easily if ingress filtering was enabled everywhere in the IPv6 Internet.

These attacks are easy to perform, but the extent of harm is limited:

o For every packet sent, at most one reply packet is generated:

  there is no amplification factor.

o Attack packets, if initiated from an IPv6 node, will pass through

  choke point(s), namely a 6to4 relay; in addition to physical
  limitations, these could implement some form of 6to4-site-specific
  traffic limiting.

On the other hand, a variety of factors can make the attacks serious:

o The attacker may have the ability to choose the relay, and he

  might employ the ones best suited for the attacks.  Also, many
  relays use 192.88.99.1 [3] as the source address, making tracing
  even more difficult (also see Section 4.2.6).

o The relay's IPv4 address may be used as a source address for these

  attacks, potentially causing a lot of complaints or other actions,
  as the relay might seem to be the source of the attack (see
  Section 4.2.6 for more).

Some of the mitigation methods for such attacks are as follows:

1. Ingress filtering in the native IPv6 networks to prevent packets

   with spoofed IPv6 sources from being transmitted.  This would,
   thus, make it easy to identify the source of the attack.
   Unfortunately, it would depend on significant (or even complete)
   ingress filtering everywhere in other networks; while this is
   highly desirable, it may not be feasible.

2. Security checks in the 6to4 relay. The 6to4 relay must drop

   traffic (from the IPv6 Internet) that has 6to4 addresses as
   source address; see Section 5 for more detail.  This has very
   little cost.

However, these mitigation methods do not address the case of an IPv4 node sending encapsulated IPv6 packets.

No simple way to prevent such attacks exists, and longer-term solutions, such as ingress filtering [12] or itrace [13], would have

to be deployed in both IPv6 and IPv4 networks to help identify the source of the attacks. A total penetration is likely impossible. (Note that itrace work has been discontinued, as of this writing in July 2004.)

COMPARISON TO SITUATION WITHOUT 6to4

Traffic spoofing is not a new phenomenon in IPv4 or IPv6. 6to4 just makes it easier: Anyone can, regardless of ingress filtering, spoof a native IPv6 address to a 6to4 node, even if "maximal security" would be implemented and deployed. Losing trails is also easier.

Therefore, depending on how much one assumes ingress filtering is deployed for IPv4 and IPv6, this could be considered either a very serious issue or close to irrelevant compared to the IP spoofing capabilities without 6to4.

Reflecting Traffic to 6to4 Nodes

ATTACK DESCRIPTION

Spoofed traffic (as described in Section 4.2.2) may be sent to native IPv6 nodes to perform a reflection attack against 6to4 nodes.

The spoofed traffic is sent to a native IPv6 node, either from an IPv4 node (through a 6to4 relay) or from a native IPv6 node (unless ingress filtering has been deployed). With the former, the sent packets would resemble the following:

src_v6 = 2002:1234:1234::1 (forged address of the target 6to4 node) dst_v6 = 2002:0900:0002::1 (valid address) src_v4 = 8.0.0.1 (valid or invalid address) dst_v4 = 9.0.0.2 (valid address, matches dst_v6)

Note that an attack through the relay is prevented if the relay implements proper decapsulation security checks (see Section 5 for details) unless the IPv4 node can spoof the source address to match src_v6. Similarly, the attack from native IPv6 nodes could be prevented by global ingress filtering deployment.

These attacks can be initiated by native IPv6, IPv4, or 6to4 nodes.

EXTENSIONS

A distributed Reflection DoS can be performed if a large number of nodes are involved in sending spoofed traffic with the same src_v6.

Malicious 6to4 nodes can also (try to) initiate this attack by bouncing traffic off 6to4 nodes in other 6to4 sites. However, this attack may not be possible, as the 6to4 router (in the site from which the attack is launched) will filter packets with forged source addresses (with security checks mentioned in Section 5).

THREAT ANALYSIS AND SOLUTIONS/MITIGATION METHODS

In this case, the reverse traffic comprises replies to the messages received by the 6to4 nodes. The attacker has less control on the packet type, and this would inhibit certain types of attacks. For example, flooding a 6to4 node with TCP SYN packets will not be possible (but e.g., a SYN-ACK or RST would be).

These attacks may be mitigated in various ways:

o Implementation of ingress filtering by the IPv4 service providers.

  This would prevent forging of the src_v4 address and help in
  closing down on the culprit IPv4 nodes.  Note that it will be
  difficult to shut down the attack if a large number of IPv4 nodes
  are involved.

  These attacks may be also be stopped at the 6to4 sites if the
  culprit src_v4 address is identified, and if it is constant, by
  filtering traffic from this address.  Note that it would be
  difficult to implement this method if appropriate logging were not
  done by the 6to4 router or if a large number of 6to4 nodes, and/or
  a large number of IPv4 nodes were participating in the attack.

  Unfortunately, because many IPv4 service providers don't implement
  ingress filtering, for whatever reasons, this may not be a
  satisfactory solution.

o Implementation of ingress filtering by all IPv6 service providers

  would eliminate this attack, because src_v6 could not be spoofed
  as a 6to4 address.  However, expecting this to happen may not be
  practical.

o Proper implementation of security checks (see Section 5) both at

  the 6to4 relays and routers would eliminate an attack launched
  from an IPv4 node, except when the IPv4 source address was also
  spoofed -- but then the attacker would have been able to attack
  the ultimate destination directly.

o Rate limiting traffic at the 6to4 relays. In a scenario where

  most of the traffic is passing through few 6to4 relays, these
  relays can implement traffic rate-limiting features and rate-limit
  the traffic from 6to4 sites.

COMPARISON TO SITUATION WITHOUT 6to4

This particular attack can be mitigated by proper implementation of security checks (which is quite straightforward) and ingress filtering; when ingress filtering is not implemented, it is typically easier to attack directly than through reflection -- unless "traffic laundering" is an explicit goal of the attack. Therefore, this attack does not seem very serious.

Local IPv4 Broadcast Attack

ATTACK DESCRIPTION

This threat is applicable if the 6to4 router does not check whether the IPv4 address to which it tries to send encapsulated IPv6 packets is a local broadcast address or a multicast address.

This threat is described in the specification [1], and implementing the checks eliminates this threat. However, as checks have not been widely implemented, the threat is included here for completeness.

There practically two kinds of attacks: when a local 6to4 user tries to send packets to the address corresponding to the broadcast address, and when someone is able to do so remotely.

In the first option, assume that 9.0.0.255 is the 6to4 router's broadcast address. After receiving the packet with a destination address like "2002:0900:00ff::bbbb" from a local 6to4 node, if the router doesn't check the destination address for subnet broadcast, it would send the encapsulated protocol-41 packet to 9.0.0.255. This would be received by all nodes in the subnet, and the responses would be directed to the 6to4 router.

Malicious sites may also embed forged 6to4 addresses in the DNS, use of which by a 6to4 node would result in a local broadcast by the 6to4 router. One way to perform this attack would be to send an HTML mail containing a link to an invalid URL (for example, http://[2002:0900:00ff::bbbb]/index.html) to all users in a 6to4 technology based network. Opening of the mail simultaneously would result in a broadcast storm.

The second kind of attack is more complex: The attack can be initiated by IPv4 nodes not belonging to the local network as long as they can send traffic with invalid (for example 2002:0900:00ff::bbbb) source address. The 6to4 router has to respond to the traffic by sending ICMPv6 packets back to the source, (e.g., Hop Limit Exceeded or Destination Unreachable). The packet would be as follows:

src_v6 = 2002:0800:00ff::bbbb (broadcast address of the router) dst_v6 = 2002:0800:0001::0001 (valid non-existent address)

This is a DoS attack.

EXTENSIONS

The attacks could also be directed at non-local broadcast addresses, but these would be so-called "IPv4 directed broadcasts", which have (luckily enough) already been extensively blocked in the Internet.

THREAT ANALYSIS AND SOLUTIONS/MITIGATION METHODS

The attack is based on the premise that the 6to4 router has to send a packet that embeds an invalid IPv4 address to an IPv6 address. Such an attack is easily thwarted by ensuring that the 6to4 router does not transmit packets to invalid IPv4 addresses. Specifically, traffic should not be sent to broadcast or multicast IPv4 addresses.

COMPARISON TO SITUATION WITHOUT 6to4

The first threat is similar to what is already possible with IPv4, but IPv6 does not have broadcast addresses.

The second, a more complex threat, is, similarly, also available in IPv4.

In consequence, the security does not seem to be significantly worse than with IPv4, and even that is restricted to the site(s) with 6to4 implementations that haven't been secured as described in Section 5.

Attacks on Native IPv6 Internet

This section describes attacks against native IPv6 Internet that somehow leverage 6to4 architecture. Attacks against 6to4 nodes were described in the previous section.

6to4 and IPv4 nodes can access native IPv6 nodes through the 6to4 relay routers. Thus, the 6to4 relays play a crucial role in any attack on native IPv6 nodes by IPv4 nodes or 6to4 nodes.

6to4 relays have only one significant security check they must perform for general safety: When decapsulating IPv4 packets, they check that 2002:V4ADDR::/48 and V4ADDR match in the source address. If this is not done, several threats become more serious; in the following analysis, it is assumed that such checks are implemented.

6to4 relay should not relay packets between 6to4 addresses. In particular, packets decapsulated from 6to4 routers should not be encapsulated toward 6to4 routers, as described in Section 5. Similarly, packets with 6to4 source and destination addresses sent from IPv6 nodes should not be relayed. It is not clear whether this kind of check is typically implemented. The attacks described below assume that such checks are not implemented.

Attacks with ND Messages

These attacks are the same as those employed against 6to4 routers, as described in Section 4.1.1.

Spoofing Traffic to Native IPv6 Node

ATTACK DESCRIPTION

The attacker - a malicious IPv4 or 6to4 node - can send packets with a spoofed (or not spoofed) 6to4 source address to a native IPv6 node to accomplish a DoS attack.

The threat is similar to that involving 6to4 routers, as described in Section 4.1.2.

The difference here is that the attack is initiated by IPv4 or 6to4 nodes. The source IPv6 address may or may not be spoofed. Note that, as mentioned above, the relay is assumed to correlate the source IPv4 address with the address embedded in the source IPv6 address during decapsulation. A side effect is that all spoofed traffic will have a 6to4 source address.

EXTENSIONS

Spoofed traffic may also be sent to native IPv6 nodes either by other native IPv6 nodes, by 6to4 nodes, or by malicious IPv4 nodes to conduct Reflection DoS on either native IPv6 nodes or 6to4 nodes.

Certain native IPv6 networks may have a trivial ACL (Access Control List) based firewall that allows traffic to pass through if it comes from particular source(s). Such a firewalling mechanism can be bypassed by address spoofing. This attack can therefore be used for trivial ACL avoidance as well. These attacks might be hampered by lost replies from the 6to4 node to the spoofed address.

THREAT ANALYSIS AND SOLUTIONS/MITIGATION METHODS

The Denial-of-Service attack based on traffic spoofing is not new; the only twist is that traces of an attack are more easily lost. The 6to4 relay typically does not log IPv4 addresses (as they would be treated as L2 addresses), and thus the source of the attack (if launched from an IPv4 node) is lost. Because traces to the src_v4 address are easily lost, these attacks can also be launched from IPv4 nodes whose connections are ingress-filtered.

These attacks might not be easy to perform and might be hampered because of the following:

o It might be difficult to launch such attacks from 6to4 nodes

  because even if the 6to4 routers allow spoofing of the source IPv6
  address, the 6to4 relay would check whether the source V4ADDR is
  the same as the one embedded in the source IPv6 address.  Thus,
  6to4 nodes will be forced to use the correct IPv6 prefix while
  launching an attack, making it easy to close such attacks.

o Packets may pass through choke point(s), namely a 6to4 relay. In

  addition to physical limitations, there could be some sort of
  traffic rate limiting mechanisms that may be implemented, and
  these could tone down the attack.

o For every packet sent, at most one reply packet is generated:

  There is no amplification factor.

Some of the mitigation methods for such attacks are as follows:

1. Ingress filtering in the IPv4 Internet to prevent packets with a

   spoofed IPv4 source from being transmitted.  As the relay checks
   that the 6to4 address embeds the IPv4 address, no spoofing can be
   achieved unless IPv4 addresses can be spoofed.  However, this
   would probably be an unfeasible requirement.

2. Security checks in the 6to4 relay. The 6to4 relay must drop

   traffic (from 6to4 nodes, or IPv4 nodes) with non-6to4 addresses
   as the source address, or for which the source IPv4 address does
   not match the address embedded in the source IPv6 address.

COMPARISON TO SITUATION WITHOUT 6to4

Compared to Section 4.1.2, which describes more serious threats, this threat appears to be slightly more manageable. If the relays perform proper decapsulation checks, the spoofing can only be achieved, to a 6to4 source address, when the IPv4 address is spoofable as well.

Reflecting Traffic to Native IPv6 Nodes

ATTACK DESCRIPTION

These reflection attacks are similar to that involving 6to4 routers, as described in Section 4.1.3. Traffic may be reflected off native IPv6 nodes, or off 6to4 nodes. The attack can be initiated by one of the following:

o Native IPv6 nodes. These nodes can send invalid traffic with

  spoofed native IPv6 addresses to valid 6to4 nodes.  Replies from
  the 6to4 nodes are part of a reflection attack.

o IPv4 nodes. These nodes can send traffic with native IPv6 source

  addresses (encapsulated by the IPv4 node itself into a protocol-41
  packet) to 6to4 nodes.  Replies from the 6to4 nodes are part of a
  reflection attack.

o 6to4 nodes. These nodes can perform attacks similar to those by

  IPv4 nodes, but this would require spoofing of the source address
  at the 6to4 site before encapsulation, which is likely to be
  difficult.

When launched from a native IPv6 node, the traffic goes through 6to4 relays twice, both before and after the reflection; when launched from a 6to4/IPv4 node, the traffic goes through a relay only after the reflection.

EXTENSIONS

A distributed reflection DoS can be performed if a large number of native IPv6 nodes or IPv4/6to4 nodes are involved in sending spoofed traffic with the same source IPv6 address.

THREAT ANALYSIS AND SOLUTIONS/MITIGATION METHODS

Some of the mitigation methods for such attacks are as follows:

1. Attacks from the native IPv6 nodes could be stopped by

   implementing ingress filtering in the IPv6 Internet; hopefully
   this will become commonplace, but past experience of IPv4 ingress
   filtering deployment (or lack thereof) does not promise much.

2. Two measures are needed to stop or mitigate the attacks from IPv4

   nodes: 1) Implementing ingress filtering in the IPv4 internet,
   and 2) logging IPv4 source addresses in the 6to4 router.

3. Attacks from 6to4 nodes in other sites can be stopped if the 6to4

   routers in those sites implement egress filtering.  This could be
   done by those sites, but the sites that are most likely to be
   abused are typically also those most likely to neglect installing
   appropriate filtering at their edges.

4. The traffic passes through one or two relays, and traffic rate

   limiting in the 6to4 relays might help tone down the reflection
   attack.

COMPARISON TO SITUATION WITHOUT 6to4

Even though there are means to mitigate it, the attack is still rather efficient, especially when used by native IPv6 nodes with spoofed addresses. Using 6to4 relays and routers could easily take down the 6to4 relay system and/or provide an easy means for traffic laundering. However, if the attack is intended to DoS the victim, this can be achieved more smoothly by doing it directly (as the source address spoofing was available as well).

Therefore, the threat to the availability and stability of the 6to4 relay system itself seems to be higher than to the native IPv6 Internet.

Local IPv4 Broadcast Attack

This attack is similar to the ones employed against 6to4 routers, as described in Section 4.1.4. There are slight differences with regard to the source of the attacks. This attack can be initiated by:

o native IPv6 nodes that may send traffic to the relay's subnet

  broadcast address, and

o IPv4 nodes that may send traffic with a spoofed source IP address

  (to be the relay's broadcast address) to elicit replies (e.g.,
  ICMPv6 Hop Limit Exceeded) from the 6to4 relay to its local nodes.

The first approach is more dangerous than those in Section 4.1.4 because it can be initiated by any IPv6 node (allowed to use the relay); the approach is not limited to local users.

The second approach is trickier and not really useful. For it to succeed, the relay would have to accept native source addresses over the 6to4 pseudo-interface (we did not assume this check was implemented), as if coming from another relay, triggering an ICMPv6 message to the relay's local IPv4 subnet. The former method is more lucrative.

EXTENSIONS

None.

THREAT ANALYSIS AND SOLUTIONS/MITIGATION METHODS

The threat is restricted to the relay's local subnet and is fixed by tightening the 6to4 security checks.

COMPARISON TO SITUATION WITHOUT 6to4

This scenario is caused by 6to4, but fortunately the issue is not serious.

Theft of Service

ATTACK DESCRIPTION

The 6to4 relay administrators would often want to use some policy to limit the use of the relay to specific 6to4 sites and/or specific IPv6 sites.

The policy control is usually enacted by applying restrictions to where the routing information for 2002::/16 and/or 192.188.99.0/24 (if the anycast address used [3]) will spread.

Some users may be able to use the service regardless of these controls, by

o configuring the address of the relay using its IPv4 address

  instead of 192.88.99.1, or

o using the routing header to route IPv6 packets to reach specific

  6to4 relays.  (Other routing tricks, such as using static routes,
  may also be used.)

EXTENSIONS

None.

THREAT ANALYSIS AND SOLUTIONS/MITIGATION METHODS

Attempts to use the relay's IPv4 address instead of 192.88.99.1 can be mitigated in the following ways:

1. IPv4 domains should prevent use of the actual IPv4 address of the

   relay instead of 192.88.99.1.

2. Usage of access lists in the 6to4 relay to limit access. This is

   only feasible if the number of IP networks the relay is supposed
   to serve is relatively low.

3. The 6to4 relay should filter out arriving tunneled packets with

   protocol 41 (IPv6) that do not have 192.88.99.1 as the
   destination address.

The other threat, of using routing tricks in the IPv6 networks to reach the 6to4 relay, has similar solutions:

1. Usage of access lists in the relay to limit access.

2. Filtering out the packets with a routing header (although this

   may have other implications).

3. Monitoring the source addresses going through the relay to

   detect, e.g., peers setting up static routes.

Routing Header is not specific to 6to4. The main thing one could do with it here would be to select the relay. Some generic threats about routing header use are described in [11].

As this threat does not have implications for anything other than the organization providing 6to4 relay, it is not analyzed any further.

COMPARISON TO SITUATION WITHOUT 6to4

These threats are specific to 6to4 relays (or in general anycast services) and do not exist in networks without 6to4.

Relay Operators Seen as Source of Abuse

ATTACK DESCRIPTION

Several attacks use 6to4 relays to anonymize the traffic; this often results in packets being tunneled from the relay to a supposedly-6to4 site.

However, as was pointed out in Section 4.2, the IPv4 source address used by the relay could, on a cursory look, be seen as the source of these "protocol-41" attacks.

This could cause a number of concerns for the operators deploying 6to4 relay service, including the following:

o being contacted a lot (via email, phone, fax, or lawyers) on

  suspected "abuse",

o having the whole IPv4 address range rejected as a source of abuse

  or spam, causing outage to other operations as well, or

o causing the whole IPv4 address range to be blacklisted in some

  "spammer databases", if the relay were used for those purposes.

This threat seems slightly similar to the outburst of SMTP abuse caused by open relays but is more generic.

EXTENSIONS

None.

THREAT ANALYSIS AND SOLUTIONS/MITIGATION METHODS

This problem can be avoided (or, really, "made someone else's problem") by using the 6to4 anycast address in 192.88.99.0/24 as the source address. Blacklisting or rejecting this should not cause problems to the other operations.

Further, when someone files complaints to the owner of 192.88.99.0/24, depending on which registry they are querying, they might get, for example:

o knowledge that this is a special IANA address block, with no real

  contact person,

o knowledge that this is a special address block for RFC 3068, or

o knowledge that this is a special address block for RFC 3068, and

  that there are multiple entries by relay operators in the
  database.

Any of these, at least when processed by a human, should show that the 6to4 relay is in fact innocent. Of course, this could result in reports going to the closest anycast 6to4 relay as well, which had nothing to do with the incident.

However, the widespread usage of 192.88.99.1 as the source address may make it more difficult to disambiguate the relays, which might be a useful feature for debugging purposes.

COMPARISON TO SITUATION WITHOUT 6to4

This threat is caused by 6to4 deployment but can be avoided, at least in the short-term, by using 192.88.99.1 as the source address.

Attacks on IPv4 Internet

There are two types of attacks on the IPv4 internet - spoofed traffic, and reflection. These can be initiated by native IPv6 nodes, 6to4 nodes, and IPv4 nodes.

Attacks initiated by IPv4 nodes that send spoofed traffic, which would not use the 6to4 infrastructure, are considered out of the scope of this document. 6to4 infrastructure may be used in reflection attacks initiated by IPv4 nodes.

It is difficult for these attacks to be effective, as the traffic sent out will be IPv6-in-IPv4. Such traffic will be rejected by most IPv4 nodes unless they have implemented some sort of IPv6-in-IPv4 tunneling.

Summary of the Attacks

Columns:

o Section number. The section that describes the attack.

o Attack name.

o Initiator. The node that initiates the attack.

  *  I_4 - IPv4 node

  *  I_6 - native IPv6 node

  *  6to4 - 6to4 node

  *  * - All of the above

o Victim. The victim node

  *  I_4 - IPv4 node

  *  I_6 - native IPv6 node

  *  6to4 - 6to4 node

  *  Relay - 6to4 relay

  *  Router - 6to4 router

o ToA. Type of Attack

  *  D - DoS

  *  R - Reflection DoS

  *  T - Theft of Service

o Fix. Specified who is responsible for fixing the attack.

  *  6 - The 6to4 developer and/or operator can completely mitigate
     this attack.

  *  6* - The 6to4 developer and/or operator can partially mitigate
     this attack.

  *  E - This threat cannot be fixed by the 6to4 developer or the
     6to4 operator.

Summary of attacks on a 6to4 network:

  +-------+----------------------+---------+----------+-----+-----+
  | Sec   | Attack name          |Initiator| Victim   | ToA | Fix |
  +-------+----------------------+---------+----------+-----+-----+
  | 4.1.1 | Attacks with ND      |  I_4    |  Router  |  D  |  6  |
  +-------+----------------------+---------+----------+-----+-----+
  | 4.1.2 | Spoofing Traffic     | I_4,I_6 |   6to4   |  D  |  E  |
  +-------+----------------------+---------+----------+-----+-----+
  | 4.1.3 | Reflection Attacks   |   *     |   6to4   |  R  |  6* |
  +-------+----------------------+---------+----------+-----+-----+
  | 4.1.4 | Local IPv4 Broadcast |   *     |  Router  |  D  |  6  |
  +-------+----------------------+---------+----------+-----+-----+

                             Figure 9

Summary of attacks on the native IPv6 internet:

  +-------+----------------------+---------+----------+-----+-----+
  | Sec   | Attack name          |Initiator|  Victim  | ToA | Fix |
  +-------+----------------------+---------+----------+-----+-----+
  | 4.2.1 | Attacks with ND      |   I_4   |  Relay   |  D  |  6  |
  +-------+----------------------+---------+----------+-----+-----+
  | 4.2.2 | Spoofing Traffic     | I_4,6to4|    I_6   |  D  |  6* |
  +-------+----------------------+---------+----------+-----+-----+
  | 4.2.3 | Reflection Attacks   |    *    |    I_6   |  R  |  6* |
  +-------+----------------------+---------+----------+-----+-----+
  | 4.2.4 | Local IPv4 Broadcast |    *    |  Relay   |  D  |  6  |
  +-------+----------------------+---------+----------+-----+-----+
  | 4.2.5 | Theft of Service     |  6to4   |  Relay   |  T  |  6  |
  +-------+----------------------+---------+----------+-----+-----+
  | 4.2.6 | Relay Operators ...  |    -    |    -     |  D  |  1) |
  +-------+----------------------+---------+----------+-----+-----+

                             Figure 10

Notes:

1) This attack is a side-effect of the other attacks and thus does not have any Initiator, Victim, and Fix. It is a Denial of Service attack not on the network but on the organization in-charge of the relay.

Summary of attacks on IPv4 internet:

  +-------+----------------------+---------+----------+-----+-----+
  | Sec   | Attack name          |Initiator|  Victim  | ToA | Fix |
  +-------+----------------------+---------+----------+-----+-----+
  |  4.3  | Spoofing Traffic     |    *    |    I_4   |  D  |  6* |
  +-------+----------------------+---------+----------+-----+-----+
  |  4.3  | Reflection Attacks   |    *    |    I_4   |  R  |  6* |
  +-------+----------------------+---------+----------+-----+-----+

                             Figure 11

Implementing Proper Security Checks in 6to4

This section describes several ways to implement the security checks required or implied by the specification [1] or augmented by this memo. These do not, in general, protect against most of the threats listed above in the "Threat Analysis" section. They are only prerequisites for a relatively safe and simple 6to4 implementation.

Note that, in general, the 6to4 router or relay does not know whether it is acting as a router or relay. It would be possible to include a toggle to specify the behaviour, to be used when, e.g., the interface is brought up, but as of February 2004, no implementations were known to do that. Therefore, the checks are described as that which works independently of whether the node is a router or relay.

Encapsulating IPv6 into IPv4

The checks described in this section are to be performed when encapsulating IPv6 into IPv4.

The encapsulation rules are mainly designed to keep implementors from "shooting themselves in the foot." For example, the source address check would verify that the packet will be acceptable to the decapsulator, or the sanity checks would ensure that addresses derived from private addresses are not used (which would be equally unacceptable).

src_v6 and dst_v6 MUST pass ipv6-sanity checks (see below) else drop
if prefix (src_v6) == 2002::/16
    ipv4 address embedded in src_v6 MUST match src_v4
else if prefix (dst_v6) == 2002::/16
        dst_v4 SHOULD NOT be assigned to the router
else
    drop
        /* we somehow got a native-native ipv6 packet */
fi
accept

Decapsulating IPv4 into IPv6

The checks described in this section are to be performed when decapsulating IPv4 into IPv6. They will be performed in both the 6to4 router and relay.

src_v4 and dst_v4 MUST pass ipv4-sanity checks, else drop
src_v6 and dst_v6 MUST pass ipv6-sanity checks, else drop
if prefix (dst_v6) == 2002::/16
    ipv4 address embedded in dst_v6 MUST match dst_v4
        if prefix (src_v6) == 2002::/16
            ipv4 address embedded in src_v6 MUST match src_v4
            dst_v4 SHOULD be assigned to the router
        fi
elif prefix (src_v6) == 2002::/16
    ipv4 address embedded in src_v6 MUST match src_v4
    dst_v4 SHOULD be assigned to the router (see notes below)

else
    drop
        /* the we somehow got a native-native ipv6 packet */
fi
accept

IPv4 and IPv6 Sanity Checks

The encapsulation and decapsulation checks include certain sanity checks for both IPv4 and IPv6. These are described here in detail.

IPv4

IPv4 address MUST be a global unicast address, as required by the 6to4 specification. The disallowed addresses include those defined in [14], and others widely used and known not to be global. These are

o 0.0.0.0/8 (the system has no address assigned yet)

o 10.0.0.0/8 (private)

o 127.0.0.0/8 (loopback)

o 172.16.0.0/12 (private)

o 192.168.0.0/16 (private)

o 169.254.0.0/16 (IANA Assigned DHCP link-local)

o 224.0.0.0/4 (multicast)

o 240.0.0.0/4 (reserved and broadcast)

In addition, the address MUST NOT be any of the system's broadcast addresses. This is especially important if the implementation is made so that it can

o receive and process encapsulated IPv4 packets arriving at its

  broadcast addresses, or

o send encapsulated IPv4 packets to one of its broadcast addresses.

IPv6

IPv6 address MUST NOT be

o 0::/16 (compatible, mapped addresses, loopback, unspecified, ...)

o fe80::/10 (link-local)

o fec0::/10 (site-local)

o ff00::/8 (any multicast)

Note: Only link-local multicast would be strictly required, but it is believed that multicast with 6to4 will not be feasible, so it has been disallowed as well.

In addition, it MUST be checked that equivalent 2002:V4ADDR::/48 checks, where V4ADDR is any of the above IPv4 addresses, will not be passed.

Optional Ingress Filtering

In addition, the implementation in the 6to4 router may perform some form of ingress filtering (e.g., Unicast Reverse Path Forwarding checks). For example, if the 6to4 router has multiple interfaces, of which some are "internal", receiving either IPv4 or IPv6 packets with source address belonging to any of these internal networks from the Internet might be disallowed.

If these checks are implemented and enabled by default, it's recommended that there be a toggle to disable them if needed.

Notes about the Checks

The rule "dst_v4 SHOULD be assigned to the router" is not needed if the 6to4 router implementation only accepts and processes encapsulated IPv4 packets arriving to its unicast IPv4 addresses, and when the destination address is known to be a local broadcast address, it does not try to encapsulate and send packets to it. (See Sections 4.1.4 and 4.2.4 about this threat.)

Some checks, especially the IPv4/IPv6 Sanity Checks, could be at least partially implementable with system-level access lists, if one would like to avoid placing too many restrictions in the 6to4 implementation itself. This depends on how many hooks are in place for the access lists. In practice, it seems that this could not be done effectively enough unless the access list mechanism is able to parse the encapsulated packets.

Issues in 6to4 Implementation and Use

This section tries to give an overview of some of the problems 6to4 implementations face, and the kind of generic problems the 6to4 users could come up with.

Implementation Considerations with Automatic Tunnels

There is a problem with multiple transition mechanisms if strict security checks are implemented. This may vary a bit from implementation to implementation.

Consider three mechanisms using automatic tunneling: 6to4, ISATAP [15], and Automatic Tunneling using Compatible Addresses [4] (currently removed [10] but typically still supported). All of these use IP-IP (protocol 41) [16] IPv4 encapsulation with, more or less, a pseudo-interface.

When a router, which has any two of these enabled, receives an IPv4 encapsulated IPv6 packet

src_v6 = 2001:db8::1 dst_v6 = 2002:1010:1010::2 src_v4 = 10.0.0.1 dst_v4 = 20.20.20.20

What can it do? How should it decide which transition mechanism this belongs to; there is no "transition mechanism number" in the IPv6 or IPv4 header to signify this. (This can also be viewed as a flexibility benefit.)

Without any kind of security checks (in any of the implemented methods), these often just "work", as the mechanisms aren't differentiated but handled in "one big lump".

Configured tunneling [4] does not suffer from this, as it is point-to-point and based on src_v6/dst_v6 pairs of both IPv4 and IPv6 addresses, so the tunnel interface can be logically deduced.

Solutions for this include 1) not using more than one automatic tunneling mechanism in a node and 2) binding different mechanisms to different IPv4 addresses.

A Different Model for 6to4 Deployment

Even though this was already discussed in Section 4.1.2, it bears some additional elaboration, as it was the only problem that cannot be even partially solved using the current deployment model. There are some mitigation methods.

6to4 routers receive traffic from non-6to4 ("native") sources via 6to4 relays. 6to4 routers have no way of matching the IPv4 source address of the relay with the non-6to4 IPv6 address of the source. Consequently, anyone can spoof any non-6to4 IPv6 address by sending traffic, encapsulated, directly to 6to4 routers.

It could be possible to turn the deployment assumptions of 6to4 around a bit to eliminate some threats caused by untrusted 6to4 relays:

o Every dual-stack site (or even ISP) would be required to have its

  own 6to4 relay.  (This assumes that IPv6-only is so far away that
  6to4 would be retired by that point.)  That is, there would not be
  third-party relays, and 2002::/16 and 192.88.99.0/24 routes would
  not need to be advertised globally.

o The security implications of 6to4 use could be pushed back to the

  level of trust inside the site or ISP (or their acceptable use
  policies).  This is something that the sites and ISPs should
  already be familiar with already.

However, this presents a number of problems:

This model would shift most of the burden of supporting 6to4 to IPv6 sites that don't employ or use 6to4 at all, i.e., "those who deploy proper native dual-stack." It could be argued that the deployment pain should be borne by 6to4 users, not by the others.

The main advantage of 6to4 is easy deployment and free relays. This would require that everyone the 6to4 sites wish to communicate with implement these measures.

The model would not fix the "relay spoofing problem", unless everybody also deployed 6to4 addresses on the nodes (alongside with native addresses, if necessary), which would in turn change 6to4 to operate without relays completely.

Security Considerations

This document discusses security considerations of 6to4.

Even if proper checks are implemented, there are a large number of different security threats; these threats are analyzed in Section 4.

There are mainly four classes of potential problem sources:

1. 6to4 routers not being able to identify whether relays are

   legitimate

2. Wrong or impartially implemented 6to4 router or relay security

   checks

3. 6to4 architecture used to participate in DoS or reflected DoS

   attacks or made to participate in "packet laundering", i.e.,
   making another attack harder to trace

4. 6to4 relays being subject to "administrative abuse" e.g., theft

   of service or being seen as a source of abuse.

The first is the toughest problem, still under research. The second can be fixed by ensuring the correctness of implementations; this is important. The third is also a very difficult problem, impossible to solve completely; therefore it is important to be able to analyze whether this results in a significant increase of threats. The fourth problem seems to have feasible solutions.

These are analyzed in detail in "Threat Analysis", in Section 4.

Acknowledgments

Some issues were first brought up by Itojun Hagino in [17], and Alain Durand introduced one specific problem at IETF51 in August 2001 (though there was some discussion on the list prior to that); these two gave the authors the push to start looking into the details of securing 6to4.

Alexey Kuznetsov brought up the implementation problem with IPv6 martian checks. Christian Huitema formulated the rules that rely on 6to4 relays using only anycast. Keith Moore brought up the point about reduced flexibility. Brian Carpenter, Tony Hain, and Vladislav Yasevich are acknowledged for lengthy discussions. Alain Durand reminded the authors about relay spoofing problems. Brian Carpenter reminded the authors about the BGP-based 6to4 router model. Christian Huitema gave a push for a more complete threat analysis. Itojun Hagino spelled out the operators' fears about 6to4 relay

abuse. Rob Austein brought up the idea of a different 6to4 deployment model.

In the latter phase, discussions with Christian Huitema, Brian Carpenter, and Alain Durand were helpful when improving the document.

David Malone, Iljitsch van Beijnum, and Tim Chown gave feedback on the document.

References

Normative References

[1] Carpenter, B. and K. Moore, "Connection of IPv6 Domains via IPv4

    Clouds", RFC 3056, February 2001.

[2] Bradner, S., "Key words for use in RFCs to Indicate Requirement

    Levels", BCP 14, RFC 2119, March 1997.

[3] Huitema, C., "An Anycast Prefix for 6to4 Relay Routers", RFC

    3068, June 2001.

Informative References

[4] Gilligan, R. and E. Nordmark, "Transition Mechanisms for IPv6

    Hosts and Routers", RFC 2893, August 2000.

[5] IANA, "Special-Use IPv4 Addresses", RFC 3330, September 2002.

[6] Rekhter, Y. and T. Li, "A Border Gateway Protocol 4 (BGP-4)",

    RFC 1771, March 1995.

[7] Draves, R., "Default Address Selection for Internet Protocol

    version 6 (IPv6)", RFC 3484, February 2003.

[8] Nikander, P., Kempf, J., and E. Nordmark, "IPv6 Neighbor

    Discovery (ND) Trust Models and Threats", RFC 3756, May 2004.

[9] Arkko, J., Kempf, J., Sommerfeld, B., Zill, B., and P. Nikander,

    "SEcure Neighbor Discovery (SEND)", Work in Progress, July 2004.

[10] Nordmark, E. and R. Gilligan, "Basic Transition Mechanisms for

    IPv6 Hosts and Routers", Work in Progress, September 2004.

[11] Savola, P., "Security of IPv6 Routing Header and Home Address

    Options", Work in Progress, March 2002.

[12] Ferguson, P. and D. Senie, "Network Ingress Filtering: Defeating

    Denial of Service Attacks which employ IP Source Address
    Spoofing", BCP 38, RFC 2827, May 2000.

[13] Bellovin, S., Leech, M. and T. Taylor, "ICMP Traceback

    Messages", Work in Progress, February 2003.

[14] Baker, F., "Requirements for IP Version 4 Routers", RFC 1812,

    June 1995.

[15] Templin, F., Gleeson, T., Talwar, M. and D. Thaler, "Intra-Site

    Automatic Tunnel Addressing Protocol (ISATAP)", Work in
    Progress, May 2004.

[16] Simpson, W., "IP in IP Tunneling", RFC 1853, October 1995.

[17] Hagino, J., "Possible abuse against IPv6 transition

    technologies", Work in Progress, July 2000.

Appendix A. Some Trivial Attack Scenarios Outlined

Here, a few trivial attack scenarios are outlined -- ones that are prevented by implementing checks listed in [1] or in section 6.

When two 6to4 routers send traffic to each others' domains, the packet sent by RA to RB resembles the following:

src_v6 = 2002:0800:0001::aaaa dst_v6 = 2002:0800:0002::bbbb src_v4 = 8.0.0.1 (added when encapsulated to IPv4) dst_v4 = 8.0.0.2 (added when encapsulated to IPv4)

When the packet is received by IPv4 stack on RB, it will be decapsulated so that only src_v6 and dst_v6 remain, as originally sent by RA:

src_v6 = 2002:0800:0001::aaaa dst_v6 = 2002:0800:0002::bbbb

As every other node is just one hop away (IPv6-wise) and the link-layer (IPv4) addresses are lost, this may open many possibilities for misuse.

As an example, unidirectional IPv6 spoofing is made trivial because nobody can check (without delving into IP-IP packets) whether the encapsulated IPv6 addresses were authentic. (With native IPv6, this can be done by, e.g., RPF-like mechanisms or access lists in upstream routers.)

src_v6 = 2002:1234:5678::aaaa (forged) dst_v6 = 2002:0800:0002::bbbb src_v4 = 8.0.0.1 (added when encapsulated to IPv4) dst_v4 = 8.0.0.2 (added when encapsulated to IPv4)

A similar attack with "src" being the native address is made possible, even with the security checks, by having the sender node pretend to be a 6to4 relay router.

More worries come into the picture if, e.g.,

src_v6 = ::ffff:[some trusted IPv4 in a private network] src_v6/dst_v6 = ::ffff:127.0.0.1 src_v6/dst_v6 = ::1 src_v6/dst_v6 = ...

Some implementations might have been careful enough to design the stack so as to avoid the incoming (or reply) packets going to IPv4 packet processing through special addresses (e.g., IPv4-mapped addresses), but who can say for all ...

Authors' Addresses

Pekka Savola CSC/FUNET Espoo Finland

EMail: [email protected]

Chirayu Patel All Play, No Work 185, Defence Colony Bangalore, Karnataka 560038 India

Phone: +91-98452-88078 EMail: [email protected] URI: http://www.chirayu.org

Full Copyright Statement

This document is subject to the rights, licenses and restrictions contained in BCP 78, and except as set forth therein, the authors retain all their rights.

This document and the information contained herein are provided on an "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.

Intellectual Property

The IETF takes no position regarding the validity or scope of any Intellectual Property Rights or other rights that might be claimed to pertain to the implementation or use of the technology described in this document or the extent to which any license under such rights might or might not be available; nor does it represent that it has made any independent effort to identify any such rights. Information on the IETF's procedures with respect to rights in IETF Documents can be found in BCP 78 and BCP 79.

Copies of IPR disclosures made to the IETF Secretariat and any assurances of licenses to be made available, or the result of an attempt made to obtain a general license or permission for the use of such proprietary rights by implementers or users of this specification can be obtained from the IETF on-line IPR repository at http://www.ietf.org/ipr.

The IETF invites any interested party to bring to its attention any copyrights, patents or patent applications, or other proprietary rights that may cover technology that may be required to implement this standard. Please address the information to the IETF at ietf- [email protected].

Acknowledgement

Funding for the RFC Editor function is currently provided by the Internet Society.

@@ Line 1: / Line 1: @@
+Network Working Group                                          P. Savola
+Request for Comments: 3964                                    CSC/FUNET
+Category: Informational                                        C. Patel
+                                                    All Play, No Work
+                                                        December 2004
+                Security Considerations for 6to4
+Status of this Memo
+This memo provides information for the Internet community.  It does
+not specify an Internet standard of any kind.  Distribution of this
+memo is unlimited.
+Copyright Notice
+Copyright (C) The Internet Society (2004).
-Network Working Group                                          P. SavolaRequest for Comments: 3964                                    CSC/FUNETCategory: Informational                                        C. Patel                                                    All Play, No Work                                                        December 2004
-                Security Considerations for 6to4
-Status of this Memo
-This memo provides information for the Internet community.  It doesnot specify an Internet standard of any kind.  Distribution of thismemo is unlimited.
-Copyright Notice
-Copyright (C) The Internet Society (2004).
 Abstract
@@ Line 24: / Line 29: @@
 the problems.
+Table of Contents
+.  Introduction . . . . . . . . . . . . . . . . . . . . . . . . .  3
+.  Different 6to4 Forwarding Scenarios  . . . . . . . . . . . . .  4
+.1.  From 6to4 to 6to4  . . . . . . . . . . . . . . . . . . .  4
+.2.  From Native to 6to4  . . . . . . . . . . . . . . . . . .  5
+.3.  From 6to4 to Native  . . . . . . . . . . . . . . . . . .  5
+.4.  Other Models . . . . . . . . . . . . . . . . . . . . . .  6
+.4.1.  BGP between 6to4 Routers and Relays  . . . . . .  6
+.4.2.  6to4 as an Optimization Method . . . . . . . . .  7
+.4.3.  6to4 as Tunnel End-Point Addressing Mechanism . . 8
+.  Functionalities of 6to4 Network Components . . . . . . . . . .  9
+.1.  6to4 Routers . . . . . . . . . . . . . . . . . . . . . .  9
+.2.  6to4 Relay Routers . . . . . . . . . . . . . . . . . . . 10
+.  Threat Analysis  . . . . . . . . . . . . . . . . . . . . . . . 11
+.1.  Attacks on 6to4 Networks . . . . . . . . . . . . . . . . 12
+.1.1.  Attacks with ND Messages . . . . . . . . . . . . 13
+.1.2.  Spoofing Traffic to 6to4 Nodes . . . . . . . . . 14
+.1.3.  Reflecting Traffic to 6to4 Nodes . . . . . . . . 17
+.1.4.  Local IPv4 Broadcast Attack  . . . . . . . . . . 19
+.2.  Attacks on Native IPv6 Internet  . . . . . . . . . . . . 20
+.2.1.  Attacks with ND Messages . . . . . . . . . . . . 21
+.2.2.  Spoofing Traffic to Native IPv6 Nodes. . . . . . 21
+.2.3.  Reflecting Traffic to Native IPv6 Nodes  . . . . 23
+.2.4.  Local IPv4 Broadcast Attack  . . . . . . . . . . 24
+.2.5.  Theft of Service . . . . . . . . . . . . . . . . 25
+.2.6.  Relay Operators Seen as Source of Abuse  . . . . 26
+.3.  Attacks on IPv4 Internet . . . . . . . . . . . . . . . . 28
+.4.  Summary of the Attacks . . . . . . . . . . . . . . . . . 28
+.  Implementing Proper Security Checks in 6to4  . . . . . . . . . 30
+.1.  Encapsulating IPv6 into IPv4 . . . . . . . . . . . . . . 31
+.2.  Decapsulating IPv4 into IPv6 . . . . . . . . . . . . . . 31
+.3.  IPv4 and IPv6 Sanity Checks  . . . . . . . . . . . . . . 32
+.3.1.  IPv4 . . . . . . . . . . . . . . . . . . . . . . 32
+.3.2.  IPv6 . . . . . . . . . . . . . . . . . . . . . . 33
+.3.3.  Optional Ingress Filtering . . . . . . . . . . . 33
+.3.4.  Notes about the Checks . . . . . . . . . . . . . 33
+.  Issues in 6to4 Implementation and Use  . . . . . . . . . . . . 34
+.1.  Implementation Considerations with Automatic Tunnels . . 34
+.2.  A Different Model for 6to4 Deployment  . . . . . . . . . 35
+.  Security Considerations  . . . . . . . . . . . . . . . . . . . 36
+.  Acknowledgments  . . . . . . . . . . . . . . . . . . . . . . . 36
+.  References . . . . . . . . . . . . . . . . . . . . . . . . . . 37
+A.  Some Trivial Attack Scenarios Outlined . . . . . . . . . . . . 39
+Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 40
+Full Copyright Statement . . . . . . . . . . . . . . . . . . . . . 41
 == Introduction ==
@@ Line 89: / Line 119: @@
 For the sake of simplicity, in this document, the native Internet is
 assumed to encompass IPv6 networks formed by using other transition
-mechanisms (e.g., [[RFC2893|RFC 2893]] [4]), as these mechanisms cannot talk
+mechanisms (e.g., RFC 2893 [4]), as these mechanisms cannot talk
 directly to the 6to4 network.
 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
-document are to be interpreted as described in [[BCP14|BCP 14]], [[RFC2119|RFC 2119]] [2].
+document are to be interpreted as described in BCP 14, RFC 2119 [2].
 Throughout this memo, IPv4 addresses from blocks 7.0.0.0/24,
@@ Line 144: / Line 167: @@
 router it wants to talk to be "on-link" (with IPv4 as the
 link-layer).
 === From Native to 6to4 ===
@@ Line 189: / Line 205: @@
 address and is assumed to be 2001:db8::1 in the example.
+                                  Configured
+                                    -or-
+                              found by IPv4 Anycast
+ .--------.      _----_        .------------.            .--------.
+ | Native |    _( IPv6 )_      | 6to4 relay |  Tunneled  |  6to4  |
+ | Client | <- ( Internet ) <-- | router    | <========= | router |
+ '--------'    (_      _)      '------------' 192.88.99.1'--------'
+:db8::1      '----'                    (or configured)  ^
+                                                              |
+                                                          .-------.
+                                                          |  6to4  |
+                                                          | client |
+                                                          '--------'
+                              Figure 3
+=== Other Models ===
+These are more or less special cases of 6to4 operations.  In later
+chapters, unless otherwise stated, only the most generally used
+models (above) will be considered.
+==== BGP between 6to4 Routers and Relays ====
+Section 5.2.2.2 in [1] presents a model where, instead of static
+configuration, BGP [6] is used between 6to4 relay routers and 6to4
+routers (for outgoing relay selection only).
+Going further than [1], if the 6to4 router established a BGP session
+between all the possible 6to4 relays and advertised its /48 prefix to
+them, the traffic from non-6to4 sites would always come from a
+"known" relay.  Alternatively, the 6to4 relays might advertise the
+more specific 6to4 routes between 6to4 relays.
+Both of these approaches are obviously infeasible due to scalability
+issues.
+Neither of these models are known to be used at the time of writing;
+this is probably because parties that need 6to4 are not able to run
+BGP, and because setting up these sessions would be much more work
+for relay operators.
+==== 6to4 as an Optimization Method ====
+Some sites seem to use 6to4 as an IPv6 connectivity "optimization
+method"; that is, they also have non-6to4 addresses on their nodes
+and border routers but also employ 6to4 to reach 6to4 sites.
+This is typically done to be able to reach 6to4 destinations by
+direct tunneling without using relays at all.
+These sites also publish both 6to4 and non-6to4 addresses in DNS to
+affect inbound connections.  If the source host's default address
+selection [7] works properly, 6to4 sources will use 6to4 addresses to
+reach the site and non-6to4 nodes use non-6to4 addresses.  If this
+behavior of foreign nodes can be assumed, the security threats to
+such sites can be significantly simplified.
+==== 6to4 as Tunnel End-Point Addressing Mechanism ====
+to4 addresses can also be used only as an IPv6-in-IPv4 tunnel
+endpoint addressing and routing mechanism.
+An example of this is interconnecting 10 branch offices where nodes
+use non-6to4 addresses.  Only the offices' border routers need to be
+aware of 6to4, and use 6to4 addresses solely for addressing the
+tunnels between different branch offices.  An example is provided in
+the figure below.
-                                  Configured
+:db8:0:10::/60                  2001:db8:0:20::/60
-                                    -or-
+    .--------.                          .--------.
-                              found by IPv4 Anycast
+  ( Branch 1 )                        ( Branch 2 )
- .--------.      _----_        .------------.            .--------.
+    '--------'                          '--------'
-  | Native |    _( IPv6 )_     | 6to4 relay |  Tunneled  |  6to4  |
+        |                                    |
- | Client | <- ( Internet ) <-- | router     | <========= | router |
+    .--------.          _----_          .--------.
- '--------'     (_      _)     '------------' 192.88.99.1'--------'
+    |  6to4  |         _( IPv4 )_       |  6to4  |
-:db8::1      '----'                    (or configured)  ^
+    | router | <====> ( Internet ) <===> | router |
-                                                              |
+    '--------'         (_      _)       '--------'
-                                                          .-------.
+.0.0.1             '----'           8.0.0.2
-                                                          |  6to4  |
+                          ^^
-                                                          | client |
+                          ||
-                                                          '--------'
+                          vv
+                      .--------.
-                              Figure 3
+                      |  6to4  | 7.0.0.3
+                      | router |
-=== Other Models ===
+                      '--------'
+                          |        2001:db8::/48
-These are more or less special cases of 6to4 operations.  In later
+                    .-----------.
-chapters, unless otherwise stated, only the most generally used
+                    ( Main Office )
-models (above) will be considered.
+                    '-----------'
+                          ^
-==== BGP between 6to4 Routers and Relays ====
+                          |
+                          v
-Section 5.2.2.2 in [1] presents a model where, instead of static
+                        _----_
-configuration, BGP [6] is used between 6to4 relay routers and 6to4
+                      _( IPv6 )_
-routers (for outgoing relay selection only).
+                      ( Internet )
+                      (_      _)
-Going further than [1], if the 6to4 router established a BGP session
+                        '----'
-between all the possible 6to4 relays and advertised its /48 prefix to
-them, the traffic from non-6to4 sites would always come from a
-"known" relay.  Alternatively, the 6to4 relays might advertise the
-more specific 6to4 routes between 6to4 relays.
-Both of these approaches are obviously infeasible due to scalability
+                              Figure 4
-issues.
-Neither of these models are known to be used at the time of writing;
-this is probably because parties that need 6to4 are not able to run
-BGP, and because setting up these sessions would be much more work
-for relay operators.
+In the figure, the main office sets up two routes:
+:db8:0:10::/60 -> 2002:0900:0001::1
+:db8:0:20::/60 -> 2002:0800:0002::1
+And a branch office sets up two routes as well:
+:db8:0:20::/60 -> 2002:0800:0002::1
+  default -> 2002:0700:0003::1
+Thus, the IPv4 Internet is treated as an NBMA link-layer for
+interconnecting 6to4-enabled sites; with explicit routes, 6to4
+addressing need not be used in routers other than the 6to4 edge
+routers.  However, note that if a branch office sends a packet to any
+to4 destination, it will not go through the main office, as the 6to4
+::/16 route overrides the default route.
+This approach may make addressing and routing slightly easier in some
+circumstances.
+== Functionalities of 6to4 Network Components ==
+This section summarizes the main functionalities of the 6to4 network
+components (6to4 routers, and 6to4 relays) and the security checks
+they must do.  The pseudo-code for the security checks is provided in
+Section 5.
+This section summarizes the main functions of the various components
+of a 6to4 network: 6to4 relay routers and 6to4 routers.  Refer to
+Section 1.1 of RFC 3056 [1] for 6to4-related definitions.
-==== 6to4 as an Optimization Method ====
+=== 6to4 Routers ===
-Some sites seem to use 6to4 as an IPv6 connectivity "optimization
+The 6to4 routers act as the border routers of a 6to4 domain.  It does
-method"; that is, they also have non-6to4 addresses on their nodes
+not have a native global IPv6 address except in certain special
-and border routers but also employ 6to4 to reach 6to4 sites.
+cases.  Since the specification [1] uses the term "6to4 router", this
+memo does the same; however, note that in this definition, we also
+include a single host with a 6to4 pseudo-interface, which doesn't
+otherwise act as a router.  The main functions of the 6to4 router are
+as follows:
-This is typically done to be able to reach 6to4 destinations by
+o  Provide IPv6 connectivity to local clients and routers.
-direct tunneling without using relays at all.
-These sites also publish both 6to4 and non-6to4 addresses in DNS to
-affect inbound connections.  If the source host's default address
-selection [7] works properly, 6to4 sources will use 6to4 addresses to
-reach the site and non-6to4 nodes use non-6to4 addresses.  If this
-behavior of foreign nodes can be assumed, the security threats to
-such sites can be significantly simplified.
+o  Tunnel packets sent to foreign 6to4 addresses to the destination
+to4 router using IPv4.
+o  Forward packets sent to locally configured 6to4 addresses to the
+to4 network.
+o  Tunnel packets sent to non-6to4 addresses to the configured/
+  closest-by-anycast 6to4 relay router.
+o  Decapsulate directly received IPv4 packets from foreign 6to4
+  addresses.
+o  Decapsulate IPv4 packets received via the relay closest to the
+  native IPv6 sources.  Note that it is not easily distinguishable
+  whether the packet was received from a 6to4 relay router or from a
+  spoofing third party.
+The 6to4 router should also perform security checks on traffic that
+it receives from other 6to4 relays, or 6to4 routers, or from within
+the 6to4 site.  These checks include the following:
+o  Disallow traffic that has private, broadcast or certain specific
+  reserved IPv4 addresses (see Section 5.3.1 for details) in
+  tunnels, or the matching 6to4 prefixes.
+o  Disallow traffic from 6to4 routers in which the IPv4 tunnel source
+  address does not match the 6to4 prefix.  (Note that the
+  pseudo-interface must pick the IPv4 address corresponding to the
+  prefix when encapsulating, or problems may ensue, e.g., on
+  multi-interface routers.)
+o  Disallow traffic in which the destination IPv6 address is not a
+  global address; in particular, link-local addresses, mapped
+  addresses, and such should not be used.
+o  Disallow traffic transmission to other 6to4 domains through 6to4
+  relay router or via some third party 6to4 router.  (To avoid
+  transmission to the relay router, the pseudo-interface prefix
+  length must be configured correctly to /16.  Further, to avoid the
+  traffic being discarded, 6to4 source addresses must always
+  correspond to the IPv4 address encapsulating the traffic.)
+o  Discard traffic received from other 6to4 domains via a 6to4 relay
+  router.
+o  Discard traffic received for prefixes other than one's own 6to4
+  prefix(es).
+=== 6to4 Relay Routers ===
+The 6to4 relay router acts as a relay between all 6to4 domains and
+native IPv6 networks; more specifically, it
+o  advertises the reachability of the 2002::/16 prefix to native IPv6
+  routing, thus receiving traffic to all 6to4 addresses from the
+  closest native IPv6 nodes,
+o  advertises (if RFC 3068 [3] is implemented) the reachability of
+  IPv4 "6to4 relay anycast prefix" (192.88.99.0/24) to IPv4 routing,
+  thus receiving some tunneled traffic to native IPv6 nodes from
+to4 routers.
+o  decapsulates and forwards packets received from 6to4 addresses
+  through tunneling, by using normal IPv6 routing, and
+o  tunnels packets received through normal IPv6 routing from native
+  addresses that are destined for 2002::/16 to the corresponding
+to4 router.
+The 6to4 relay should also perform security checks on traffic that it
+receives from 6to4 routers, or from native IPv6 nodes.  These checks
+are as follows:
+o  Disallow traffic that has private, broadcast, or certain specific
+  reserved IPv4 addresses in tunnels, or in the matching 6to4
+  prefixes.
+o  Disallow traffic from 6to4 routers in which the IPv4 tunnel source
+  address does not match the 6to4 prefix.  (Note that the
+  pseudo-interface must pick the IPv4 address corresponding to the
+  prefix when encapsulating, or problems may ensue, e.g., on
+  multi-interface routers.)
+o  Disallow traffic in which the destination IPv6 address is not a
+  global address; in particular, link-local addresses, mapped
+  addresses, and such should not be used.
+o  Discard traffic received from 6to4 routers with the destination as
+  a 6to4 prefix.
+== Threat Analysis ==
+ This section discusses attacks against the 6to4 network or attacks
+ caused by the 6to4 network.  The threats are discussed in light of
+ the 6to4 deployment models defined in Section 2.
+ There are three general types of threats:
+.  Denial-of-Service (DoS) attacks, in which a malicious node
+    prevents communication between the node under attack and other
+    nodes.
+.  Reflection Denial-of-Service (DoS) attacks, in which a malicious
+    node reflects the traffic off unsuspecting nodes to a particular
+    node (node under attack) in order to prevent communication
+    between the node under attack and other nodes.
+.  Service theft, in which a malicious node/site/operator may make
+    unauthorized use of service.
+to4 also provides a means for a "meta-threat", traffic laundering,
+in which some other attack is channeled through the third parties to
+make tracing the real origin of the attack more difficult.  This is
+used in conjunction with other threats, whether specific to 6to4 or
+not.
+At this point it is important to reiterate that the attacks are
+possible because
+.  6to4 routers have to consider all 6to4 relays, and other 6to4
+    routers, as "on-link",
+.  6to4 relays have to consider all 6to4 routers as "on-link", and
+.  it has been discovered that at least a couple of major 6to4
+    implementations do not implement all the security checks.
+The attacks' descriptions are classified based on the target of the
+attack:
+.  Attacks on 6to4 networks.
+.  Attacks on IPv6 networks.
-==== 6to4 as Tunnel End-Point Addressing Mechanism ====
+.  Attacks on IPv4 networks.
+Note that one of the mitigation methods listed for various attacks is
+based on the premise that 6to4 relays could have a feature limiting
+traffic to/from specific 6to4 sites.  At the time of this writing,
+this feature is speculative, and more work needs to be done to
+determine the logistics.
-to4 addresses can also be used only as an IPv6-in-IPv4 tunnel
+=== Attacks on 6to4 Networks ===
-endpoint addressing and routing mechanism.
-An example of this is interconnecting 10 branch offices where nodes
+This section describes attacks against 6to4 networks.  Attacks that
-use non-6to4 addresses.  Only the offices' border routers need to be
+leverage 6to4 networks, but for which the ultimate victim is
-aware of 6to4, and use 6to4 addresses solely for addressing the
+elsewhere (e.g., a native IPv6 user, an IPv4 user), are described
-tunnels between different branch offices.  An example is provided in
+later in the memo.
-the figure below.
+to4 relays and routers are IPv4 nodes, and there is no way for any
+to4 router to confirm the identity of the IPv4 node from which it
+receives traffic -- whether from a legitimate 6to4 relay or some
+other node.  A 6to4 router has to process traffic from all IPv4
+nodes.  Malicious IPv4 nodes can exploit this property and attack
+nodes within the 6to4 network.
+It is possible to conduct a variety of attacks on the 6to4 nodes.
+These attacks are as follows:
+.  Attacks with Neighbor Discovery (ND) Messages
-:db8:0:10::/60                  2001:db8:0:20::/60
+.  Spoofing traffic to 6to4 nodes
-    .--------.                          .--------.
-  ( Branch 1 )                        ( Branch 2 )
-    '--------'                          '--------'
-        |                                    |
-    .--------.          _----_          .--------.
-    |  6to4  |        _( IPv4 )_        |  6to4  |
-    | router | <====> ( Internet ) <===> | router |
-    '--------'        (_      _)        '--------'
-.0.0.1            '----'            8.0.0.2
-                          ^^
-                          ||
-                          vv
-                      .--------.
-                      |  6to4  | 7.0.0.3
-                      | router |
-                      '--------'
-                          |        2001:db8::/48
-                    .-----------.
-                    ( Main Office )
-                    '-----------'
-                          ^
-                          |
-                          v
-                        _----_
-                      _( IPv6 )_
-                      ( Internet )
-                      (_      _)
-                        '----'
-                              Figure 4
+.  Reflecting traffic from 6to4 nodes
-In the figure, the main office sets up two routes:
+.  Local IPv4 broadcast attack
-:db8:0:10::/60 -> 2002:0900:0001::1
+==== Attacks with ND Messages ====
-:db8:0:20::/60 -> 2002:0800:0002::1
+ATTACK DESCRIPTION
+Since the 6to4 router assumes that all the other 6to4 routers and
+to4 relays are "on-link", it is possible to attack the 6to4 router
+by using ND messages from any node in the IPv4 network, unless a
+prior trust relationship has been established.
+The attacks target the 6to4 pseudo-interface.  As long as the 6to4
+addresses are not used in the source or destination address, the
+security checks specified by 6to4 take no stance on these packets.
+Typically they use link-local addresses.
+For example, an attack could be a Route Advertisement or Neighbor
+Advertisement message crafted specifically to cause havoc; the
+addresses in such a packet could resemble to the following:
-And a branch office sets up two routes as well:
+src_v6 = fe80::2          (forged address)
+dst_v6 = fe80::1          (valid or invalid address)
+src_v4 = 8.0.0.1          (valid or forged address)
+dst_v4 = 9.0.0.2          (valid address, matches dst_v6)
+These attacks are exacerbated if the implementation supports more
+tunneling mechanisms than 6to4 (or configured tunneling) because it
+is impossible to disambiguate such mechanisms, making it difficult to
+enable strict security checks (see Section 6.1).
-:db8:0:20::/60 -> 2002:0800:0002::1
+The Neighbor Discovery threats (Redirect DoS, or DoS) are described
+in [8].  Note that all attacks may not be applicable, as the 6to4
-  default -> 2002:0700:0003::1
+pseudo-interface is assumed not to have a link-layer address (Section
+.8 RFC 2893 [4]).  However, note that the 6to4 router can be either
+a router or host from the Neighbor Discovery perspective.
-Thus, the IPv4 Internet is treated as an NBMA link-layer for
+THREAT ANALYSIS AND MITIGATION METHODS
-interconnecting 6to4-enabled sites; with explicit routes, 6to4
-addressing need not be used in routers other than the 6to4 edge
-routers.  However, note that if a branch office sends a packet to any
-to4 destination, it will not go through the main office, as the 6to4
-::/16 route overrides the default route.
-This approach may make addressing and routing slightly easier in some
+The attacks can be mitigated by using any of the following methods:
-circumstances.
-== Functionalities of 6to4 Network Components ==
+o  The usage of ND messages could be prohibited.  This implies that
+  all packets using addresses of scope link-local will be silently
+  discarded.  Section 3.1 of RFC 3056 [1] leaves scope for future
+  uses of link-local address.  This method has its pitfalls: It
+  would prohibit any sort of ND message and thus close the doors on
+  development and use of other ND options.  Whether this is a
+  significant problem is another thing.
-This section summarizes the main functionalities of the 6to4 network
+o  The 6to4 pseudo-interface could be insulated from the other
-components (6to4 routers, and 6to4 relays) and the security checks
+  interfaces, particularly the other tunnel interfaces (if any), for
-they must do.  The pseudo-code for the security checks is provided in
+  example by using a separate neighbor cache.
-Section 5.
-This section summarizes the main functions of the various components
+o  If ND messages are needed, either IPsec [4] or an extension of
-of a 6to4 network: 6to4 relay routers and 6to4 routers.  Refer to
+  SEND could be used [9] to secure packet exchange using the
-Section 1.1 of [[RFC3056|RFC 3056]] [1] for 6to4-related definitions.
+  link-local address; vanilla SEND would not work, as the link-layer
+  does not have an address -- and IPsec would be rather complex.
-=== 6to4 Routers ===
+COMPARISON TO SITUATION WITHOUT 6to4
-The 6to4 routers act as the border routers of a 6to4 domain.  It does
+Even though rather simply fixed, this attack is not new as such; the
-not have a native global IPv6 address except in certain special
+same is possible by using automatic tunneling [4] or configured
-cases.  Since the specification [1] uses the term "6to4 router", this
+tunneling (if one is able to spoof source IPv4 address to that of the
-memo does the same; however, note that in this definition, we also
+tunnel end-point).
-include a single host with a 6to4 pseudo-interface, which doesn't
-otherwise act as a router.  The main functions of the 6to4 router are
-as follows:
-o  Provide IPv6 connectivity to local clients and routers.
+However, as 6to4 provides open decapsulation, and automatic tunneling
+is being deprecated [10], 6to4 provides an easy means, which would
+not exist without it.
-o  Tunnel packets sent to foreign 6to4 addresses to the destination
+==== Spoofing Traffic to 6to4 Nodes ====
-to4 router using IPv4.
-o  Forward packets sent to locally configured 6to4 addresses to the
+ATTACK DESCRIPTION
-to4 network.
-o  Tunnel packets sent to non-6to4 addresses to the configured/
+The attacker - a malicious IPv4 or IPv6 node - can send packets that
-  closest-by-anycast 6to4 relay router.
+are difficult to trace (e.g., due to spoofing or going through a
+relay) to a 6to4 node.  This can be used e.g., to accomplish a DoS
+attack.
+The IPv6 and IPv4 addresses of the packets will be similar to the
+following:
+src_v6 = 2001:db8::1      (forged address)
+dst_v6 = 2002:0900:0002::1 (valid address)
+src_v4 = 8.0.0.1          (valid or forged address)
+dst_v4 = 9.0.0.2          (valid address, matches dst_v6)
+For attacks launched from a native IPv6 node, the src_v4 will be the
+address of the relay through which the traffic will reach the 6to4
+node.  From IPv4 nodes, src_v4 can be either a spoofed source address
+or the real one.
+The 6to4 router receives these packets from 8.0.0.1, decapsulates
+them, discards the IPv4 header containing the source address 8.0.0.1,
+and processes them as normal (the attacker has guessed or obtained
+"dst_v6" by using one of a number of techniques).
+This is a DoS attack on 6to4 nodes.
-o  Decapsulate directly received IPv4 packets from foreign 6to4
+This attack is similar to those shown in [11].
-  addresses.
-o  Decapsulate IPv4 packets received via the relay closest to the
+EXTENSIONS
-  native IPv6 sources.  Note that it is not easily distinguishable
-  whether the packet was received from a 6to4 relay router or from a
-  spoofing third party.
-The 6to4 router should also perform security checks on traffic that
+Replies to the traffic will be directed to the src_v6 address,
-it receives from other 6to4 relays, or 6to4 routers, or from within
+resulting in 6to4 nodes participating in a reflection DoS.  This
-the 6to4 site.  These checks include the following:
+attack is described in more detail in Section 4.2.3.  The replies
+(e.g., TCP SYN ACK, TCP RST, ICMPv6 Echo Reply, input sent to UDP
-o  Disallow traffic that has private, broadcast or certain specific
+echo service, ICMPv6 Destination Unreachable) are sent to the victim
-  reserved IPv4 addresses (see Section 5.3.1 for details) in
+(src_v6), above.  All the traces from the original attacker (src_v4)
-  tunnels, or the matching 6to4 prefixes.
+have been discarded.  These return packets will go through a relay.
-o  Disallow traffic from 6to4 routers in which the IPv4 tunnel source
+Certain 6to4 networks may have a trivial ACL (Access Control List)
-  address does not match the 6to4 prefix.  (Note that the
+based firewall that allows traffic to pass through if it comes from
-  pseudo-interface must pick the IPv4 address corresponding to the
+particular source(s).  Such a firewalling mechanism can be bypassed
-  prefix when encapsulating, or problems may ensue, e.g., on
+by address spoofing.  This attack can therefore be used for trivial
-  multi-interface routers.)
+ACL avoidance as well.  These attacks might be hampered because the
+replies from the 6to4 node to the spoofed address will be lost.
-o  Disallow traffic in which the destination IPv6 address is not a
+THREAT ANALYSIS AND SOLUTIONS/MITIGATION METHODS
-  global address; in particular, link-local addresses, mapped
-  addresses, and such should not be used.
-o  Disallow traffic transmission to other 6to4 domains through 6to4
+The Denial-of-Service attack based on traffic spoofing is not new;
-  relay router or via some third party 6to4 router.  (To avoid
+the only twists come from the fact that traces of an attack are more
-  transmission to the relay router, the pseudo-interface prefix
+easily lost, and that spoofing the IPv6 address is possible even to
-  length must be configured correctly to /16.  Further, to avoid the
+those who are unable to do so in their current networks.  The 6to4
-  traffic being discarded, 6to4 source addresses must always
+router typically does not log IPv4 addresses (as they would be
-  correspond to the IPv4 address encapsulating the traffic.)
+treated as L2 addresses), and thus the source of the attack (if
+launched from an IPv4 node) is lost.  Because traces to the src_v4
+address are easily lost, these attacks can also be launched from IPv4
+nodes whose connections are ingress-filtered.
-o  Discard traffic received from other 6to4 domains via a 6to4 relay
+However, often this is not a real factor, as usually the attackers
-  router.
+are just zombies and real attackers may not even care whether the
+unspoofed source address is discovered.
-o  Discard traffic received for prefixes other than one's own 6to4
+Malicious native IPv6 nodes could be caught easily if ingress
-  prefix(es).
+filtering was enabled everywhere in the IPv6 Internet.
-=== 6to4 Relay Routers ===
+These attacks are easy to perform, but the extent of harm is limited:
-The 6to4 relay router acts as a relay between all 6to4 domains and
+o  For every packet sent, at most one reply packet is generated:
-native IPv6 networks; more specifically, it
+  there is no amplification factor.
-o  advertises the reachability of the 2002::/16 prefix to native IPv6
+o  Attack packets, if initiated from an IPv6 node, will pass through
-   routing, thus receiving traffic to all 6to4 addresses from the
+   choke point(s), namely a 6to4 relay; in addition to physical
-   closest native IPv6 nodes,
+  limitations, these could implement some form of 6to4-site-specific
+   traffic limiting.
+On the other hand, a variety of factors can make the attacks serious:
+o  The attacker may have the ability to choose the relay, and he
+  might employ the ones best suited for the attacks.  Also, many
+  relays use 192.88.99.1 [3] as the source address, making tracing
+  even more difficult (also see Section 4.2.6).
+o  The relay's IPv4 address may be used as a source address for these
+  attacks, potentially causing a lot of complaints or other actions,
+  as the relay might seem to be the source of the attack (see
+  Section 4.2.6 for more).
+Some of the mitigation methods for such attacks are as follows:
+.  Ingress filtering in the native IPv6 networks to prevent packets
+    with spoofed IPv6 sources from being transmitted.  This would,
+    thus, make it easy to identify the source of the attack.
+    Unfortunately, it would depend on significant (or even complete)
+    ingress filtering everywhere in other networks; while this is
+    highly desirable, it may not be feasible.
-o  advertises (if [[RFC3068|RFC 3068]] [3] is implemented) the reachability of
+.  Security checks in the 6to4 relay.  The 6to4 relay must drop
-  IPv4 "6to4 relay anycast prefix" (192.88.99.0/24) to IPv4 routing,
+    traffic (from the IPv6 Internet) that has 6to4 addresses as
-  thus receiving some tunneled traffic to native IPv6 nodes from
+    source address; see Section 5 for more detail.  This has very
-to4 routers.
+    little cost.
-o  decapsulates and forwards packets received from 6to4 addresses
+However, these mitigation methods do not address the case of an IPv4
-  through tunneling, by using normal IPv6 routing, and
+node sending encapsulated IPv6 packets.
-o  tunnels packets received through normal IPv6 routing from native
+No simple way to prevent such attacks exists, and longer-term
-  addresses that are destined for 2002::/16 to the corresponding
+solutions, such as ingress filtering [12] or itrace [13], would have
-to4 router.
-The 6to4 relay should also perform security checks on traffic that it
+to be deployed in both IPv6 and IPv4 networks to help identify the
-receives from 6to4 routers, or from native IPv6 nodes.  These checks
+source of the attacks.  A total penetration is likely impossible.
-are as follows:
+(Note that itrace work has been discontinued, as of this writing in
+July 2004.)
-o  Disallow traffic that has private, broadcast, or certain specific
+COMPARISON TO SITUATION WITHOUT 6to4
-  reserved IPv4 addresses in tunnels, or in the matching 6to4
-  prefixes.
-o  Disallow traffic from 6to4 routers in which the IPv4 tunnel source
+Traffic spoofing is not a new phenomenon in IPv4 or IPv6.  6to4 just
-  address does not match the 6to4 prefix.  (Note that the
+makes it easier: Anyone can, regardless of ingress filtering, spoof a
-  pseudo-interface must pick the IPv4 address corresponding to the
+native IPv6 address to a 6to4 node, even if "maximal security" would
-  prefix when encapsulating, or problems may ensue, e.g., on
+be implemented and deployed.  Losing trails is also easier.
-  multi-interface routers.)
-o  Disallow traffic in which the destination IPv6 address is not a
+Therefore, depending on how much one assumes ingress filtering is
-  global address; in particular, link-local addresses, mapped
+deployed for IPv4 and IPv6, this could be considered either a very
-  addresses, and such should not be used.
+serious issue or close to irrelevant compared to the IP spoofing
+capabilities without 6to4.
-o  Discard traffic received from 6to4 routers with the destination as
+==== Reflecting Traffic to 6to4 Nodes ====
-  a 6to4 prefix.
-== Threat Analysis ==
+ATTACK DESCRIPTION
- This section discusses attacks against the 6to4 network or attacks
+Spoofed traffic (as described in Section 4.2.2) may be sent to native
- caused by the 6to4 network.  The threats are discussed in light of
+IPv6 nodes to perform a reflection attack against 6to4 nodes.
- the 6to4 deployment models defined in Section 2.
-  There are three general types of threats:
+The spoofed traffic is sent to a native IPv6 node, either from an
+IPv4 node (through a 6to4 relay) or from a native IPv6 node (unless
+ingress filtering has been deployed).  With the former, the sent
+packets would resemble the following:
-.  Denial-of-Service (DoS) attacks, in which a malicious node
+src_v6 = 2002:1234:1234::1 (forged address of the target 6to4 node)
-    prevents communication between the node under attack and other
+dst_v6 = 2002:0900:0002::1 (valid address)
-    nodes.
+src_v4 = 8.0.0.1          (valid or invalid address)
+dst_v4 = 9.0.0.2          (valid address, matches dst_v6)
+Note that an attack through the relay is prevented if the relay
+implements proper decapsulation security checks (see Section 5 for
+details) unless the IPv4 node can spoof the source address to match
+src_v6.  Similarly, the attack from native IPv6 nodes could be
+prevented by global ingress filtering deployment.
+These attacks can be initiated by native IPv6, IPv4, or 6to4 nodes.
+EXTENSIONS
+A distributed Reflection DoS can be performed if a large number of
+nodes are involved in sending spoofed traffic with the same src_v6.
+Malicious 6to4 nodes can also (try to) initiate this attack by
+bouncing traffic off 6to4 nodes in other 6to4 sites.  However, this
+attack may not be possible, as the 6to4 router (in the site from
+which the attack is launched) will filter packets with forged source
+addresses (with security checks mentioned in Section 5).
+THREAT ANALYSIS AND SOLUTIONS/MITIGATION METHODS
+In this case, the reverse traffic comprises replies to the messages
+received by the 6to4 nodes.  The attacker has less control on the
+packet type, and this would inhibit certain types of attacks.  For
+example, flooding a 6to4 node with TCP SYN packets will not be
+possible (but e.g., a SYN-ACK or RST would be).
+These attacks may be mitigated in various ways:
-.  Reflection Denial-of-Service (DoS) attacks, in which a malicious
+o  Implementation of ingress filtering by the IPv4 service providers.
-    node reflects the traffic off unsuspecting nodes to a particular
+  This would prevent forging of the src_v4 address and help in
-    node (node under attack) in order to prevent communication
+  closing down on the culprit IPv4 nodes.  Note that it will be
-    between the node under attack and other nodes.
+  difficult to shut down the attack if a large number of IPv4 nodes
+  are involved.
-.  Service theft, in which a malicious node/site/operator may make
+  These attacks may be also be stopped at the 6to4 sites if the
-    unauthorized use of service.
+  culprit src_v4 address is identified, and if it is constant, by
+  filtering traffic from this address.  Note that it would be
+  difficult to implement this method if appropriate logging were not
+  done by the 6to4 router or if a large number of 6to4 nodes, and/or
+  a large number of IPv4 nodes were participating in the attack.
-to4 also provides a means for a "meta-threat", traffic laundering,
+  Unfortunately, because many IPv4 service providers don't implement
-in which some other attack is channeled through the third parties to
+  ingress filtering, for whatever reasons, this may not be a
-make tracing the real origin of the attack more difficult.  This is
+  satisfactory solution.
-used in conjunction with other threats, whether specific to 6to4 or
-not.
-At this point it is important to reiterate that the attacks are
+o  Implementation of ingress filtering by all IPv6 service providers
-possible because
+  would eliminate this attack, because src_v6 could not be spoofed
+  as a 6to4 address.  However, expecting this to happen may not be
+  practical.
-.  6to4 routers have to consider all 6to4 relays, and other 6to4
+o  Proper implementation of security checks (see Section 5) both at
-    routers, as "on-link",
+  the 6to4 relays and routers would eliminate an attack launched
+  from an IPv4 node, except when the IPv4 source address was also
+  spoofed -- but then the attacker would have been able to attack
+  the ultimate destination directly.
-.  6to4 relays have to consider all 6to4 routers as "on-link", and
+o  Rate limiting traffic at the 6to4 relays.  In a scenario where
+  most of the traffic is passing through few 6to4 relays, these
+  relays can implement traffic rate-limiting features and rate-limit
+  the traffic from 6to4 sites.
-.  it has been discovered that at least a couple of major 6to4
+COMPARISON TO SITUATION WITHOUT 6to4
-    implementations do not implement all the security checks.
-The attacks' descriptions are classified based on the target of the
+This particular attack can be mitigated by proper implementation of
-attack:
+security checks (which is quite straightforward) and ingress
+filtering; when ingress filtering is not implemented, it is typically
+easier to attack directly than through reflection -- unless "traffic
+laundering" is an explicit goal of the attack.  Therefore, this
+attack does not seem very serious.
-.  Attacks on 6to4 networks.
+==== Local IPv4 Broadcast Attack ====
-.  Attacks on IPv6 networks.
+ATTACK DESCRIPTION
-.  Attacks on IPv4 networks.
+This threat is applicable if the 6to4 router does not check whether
+the IPv4 address to which it tries to send encapsulated IPv6 packets
+is a local broadcast address or a multicast address.
-Note that one of the mitigation methods listed for various attacks is
+This threat is described in the specification [1], and implementing
-based on the premise that 6to4 relays could have a feature limiting
+the checks eliminates this threat.  However, as checks have not been
-traffic to/from specific 6to4 sites.  At the time of this writing,
+widely implemented, the threat is included here for completeness.
-this feature is speculative, and more work needs to be done to
-determine the logistics.
-=== Attacks on 6to4 Networks ===
+There practically two kinds of attacks: when a local 6to4 user tries
+to send packets to the address corresponding to the broadcast
+address, and when someone is able to do so remotely.
-This section describes attacks against 6to4 networks.  Attacks that
+In the first option, assume that 9.0.0.255 is the 6to4 router's
-leverage 6to4 networks, but for which the ultimate victim is
+broadcast address.  After receiving the packet with a destination
-elsewhere (e.g., a native IPv6 user, an IPv4 user), are described
+address like "2002:0900:00ff::bbbb" from a local 6to4 node, if the
-later in the memo.
+router doesn't check the destination address for subnet broadcast, it
+would send the encapsulated protocol-41 packet to 9.0.0.255.  This
+would be received by all nodes in the subnet, and the responses would
+be directed to the 6to4 router.
+Malicious sites may also embed forged 6to4 addresses in the DNS, use
+of which by a 6to4 node would result in a local broadcast by the 6to4
+router.  One way to perform this attack would be to send an HTML mail
+containing a link to an invalid URL (for example,
+http://[2002:0900:00ff::bbbb]/index.html) to all users in a 6to4
+technology based network.  Opening of the mail simultaneously would
+result in a broadcast storm.
+The second kind of attack is more complex: The attack can be
+initiated by IPv4 nodes not belonging to the local network as long as
+they can send traffic with invalid (for example 2002:0900:00ff::bbbb)
+source address.  The 6to4 router has to respond to the traffic by
+sending ICMPv6 packets back to the source, (e.g., Hop Limit Exceeded
+or Destination Unreachable).  The packet would be as follows:
+src_v6 = 2002:0800:00ff::bbbb (broadcast address of the router)
+dst_v6 = 2002:0800:0001::0001 (valid non-existent address)
+This is a DoS attack.
+EXTENSIONS
+The attacks could also be directed at non-local broadcast addresses,
+but these would be so-called "IPv4 directed broadcasts", which have
+(luckily enough) already been extensively blocked in the Internet.
-to4 relays and routers are IPv4 nodes, and there is no way for any
+THREAT ANALYSIS AND SOLUTIONS/MITIGATION METHODS
-to4 router to confirm the identity of the IPv4 node from which it
-receives traffic -- whether from a legitimate 6to4 relay or some
-other node.  A 6to4 router has to process traffic from all IPv4
-nodes.  Malicious IPv4 nodes can exploit this property and attack
-nodes within the 6to4 network.
-It is possible to conduct a variety of attacks on the 6to4 nodes.
+The attack is based on the premise that the 6to4 router has to send a
-These attacks are as follows:
+packet that embeds an invalid IPv4 address to an IPv6 address.  Such
+an attack is easily thwarted by ensuring that the 6to4 router does
+not transmit packets to invalid IPv4 addresses.  Specifically,
+traffic should not be sent to broadcast or multicast IPv4 addresses.
-.  Attacks with Neighbor Discovery (ND) Messages
+COMPARISON TO SITUATION WITHOUT 6to4
-.  Spoofing traffic to 6to4 nodes
+The first threat is similar to what is already possible with IPv4,
+but IPv6 does not have broadcast addresses.
-.  Reflecting traffic from 6to4 nodes
+The second, a more complex threat, is, similarly, also available in
+IPv4.
-.  Local IPv4 broadcast attack
+In consequence, the security does not seem to be significantly worse
+than with IPv4, and even that is restricted to the site(s) with 6to4
+implementations that haven't been secured as described in Section 5.
-==== Attacks with ND Messages ====
+=== Attacks on Native IPv6 Internet ===
-ATTACK DESCRIPTION
+This section describes attacks against native IPv6 Internet that
+somehow leverage 6to4 architecture.  Attacks against 6to4 nodes were
+described in the previous section.
-Since the 6to4 router assumes that all the other 6to4 routers and
+to4 and IPv4 nodes can access native IPv6 nodes through the 6to4
-to4 relays are "on-link", it is possible to attack the 6to4 router
+relay routers.  Thus, the 6to4 relays play a crucial role in any
-by using ND messages from any node in the IPv4 network, unless a
+attack on native IPv6 nodes by IPv4 nodes or 6to4 nodes.
-prior trust relationship has been established.
-The attacks target the 6to4 pseudo-interface.  As long as the 6to4
+to4 relays have only one significant security check they must
-addresses are not used in the source or destination address, the
+perform for general safety: When decapsulating IPv4 packets, they
-security checks specified by 6to4 take no stance on these packets.
+check that 2002:V4ADDR::/48 and V4ADDR match in the source address.
-Typically they use link-local addresses.
+If this is not done, several threats become more serious; in the
+following analysis, it is assumed that such checks are implemented.
-For example, an attack could be a Route Advertisement or Neighbor
+to4 relay should not relay packets between 6to4 addresses.  In
-Advertisement message crafted specifically to cause havoc; the
+particular, packets decapsulated from 6to4 routers should not be
-addresses in such a packet could resemble to the following:
+encapsulated toward 6to4 routers, as described in Section 5.
+Similarly, packets with 6to4 source and destination addresses sent
+from IPv6 nodes should not be relayed.  It is not clear whether this
+kind of check is typically implemented.  The attacks described below
+assume that such checks are not implemented.
-src_v6 = fe80::2          (forged address)
+==== Attacks with ND Messages ====
-dst_v6 = fe80::1          (valid or invalid address)
-src_v4 = 8.0.0.1          (valid or forged address)
-dst_v4 = 9.0.0.2          (valid address, matches dst_v6)
-These attacks are exacerbated if the implementation supports more
+These attacks are the same as those employed against 6to4 routers, as
-tunneling mechanisms than 6to4 (or configured tunneling) because it
+described in Section 4.1.1.
-is impossible to disambiguate such mechanisms, making it difficult to
-enable strict security checks (see Section 6.1).
-The Neighbor Discovery threats (Redirect DoS, or DoS) are described
+==== Spoofing Traffic to Native IPv6 Node ====
-in [8].  Note that all attacks may not be applicable, as the 6to4
+ATTACK DESCRIPTION
+The attacker - a malicious IPv4 or 6to4 node - can send packets with
+a spoofed (or not spoofed) 6to4 source address to a native IPv6 node
+to accomplish a DoS attack.
+The threat is similar to that involving 6to4 routers, as described in
+Section 4.1.2.
+The difference here is that the attack is initiated by IPv4 or 6to4
+nodes.  The source IPv6 address may or may not be spoofed.  Note
+that, as mentioned above, the relay is assumed to correlate the
+source IPv4 address with the address embedded in the source IPv6
+address during decapsulation.  A side effect is that all spoofed
+traffic will have a 6to4 source address.
-pseudo-interface is assumed not to have a link-layer address (Section
+EXTENSIONS
-.8 [[RFC2893|RFC 2893]] [4]).  However, note that the 6to4 router can be either
-a router or host from the Neighbor Discovery perspective.
-THREAT ANALYSIS AND MITIGATION METHODS
-The attacks can be mitigated by using any of the following methods:
+Spoofed traffic may also be sent to native IPv6 nodes either by other
+native IPv6 nodes, by 6to4 nodes, or by malicious IPv4 nodes to
+conduct Reflection DoS on either native IPv6 nodes or 6to4 nodes.
-o  The usage of ND messages could be prohibited.  This implies that
+Certain native IPv6 networks may have a trivial ACL (Access Control
-  all packets using addresses of scope link-local will be silently
+List) based firewall that allows traffic to pass through if it comes
-  discarded.  Section 3.1 of [[RFC3056|RFC 3056]] [1] leaves scope for future
+from particular source(s).  Such a firewalling mechanism can be
-  uses of link-local address.  This method has its pitfalls: It
+bypassed by address spoofing.  This attack can therefore be used for
-  would prohibit any sort of ND message and thus close the doors on
+trivial ACL avoidance as well.  These attacks might be hampered by
-  development and use of other ND options.  Whether this is a
+lost replies from the 6to4 node to the spoofed address.
-  significant problem is another thing.
-o  The 6to4 pseudo-interface could be insulated from the other
+THREAT ANALYSIS AND SOLUTIONS/MITIGATION METHODS
-  interfaces, particularly the other tunnel interfaces (if any), for
-  example by using a separate neighbor cache.
-o  If ND messages are needed, either IPsec [4] or an extension of
+The Denial-of-Service attack based on traffic spoofing is not new;
-  SEND could be used [9] to secure packet exchange using the
+the only twist is that traces of an attack are more easily lost.  The
-  link-local address; vanilla SEND would not work, as the link-layer
+to4 relay typically does not log IPv4 addresses (as they would be
-  does not have an address -- and IPsec would be rather complex.
+treated as L2 addresses), and thus the source of the attack (if
+launched from an IPv4 node) is lost.  Because traces to the src_v4
+address are easily lost, these attacks can also be launched from IPv4
+nodes whose connections are ingress-filtered.
-COMPARISON TO SITUATION WITHOUT 6to4
+These attacks might not be easy to perform and might be hampered
+because of the following:
-Even though rather simply fixed, this attack is not new as such; the
+o  It might be difficult to launch such attacks from 6to4 nodes
-same is possible by using automatic tunneling [4] or configured
+  because even if the 6to4 routers allow spoofing of the source IPv6
-tunneling (if one is able to spoof source IPv4 address to that of the
+  address, the 6to4 relay would check whether the source V4ADDR is
-tunnel end-point).
+  the same as the one embedded in the source IPv6 address.  Thus,
+to4 nodes will be forced to use the correct IPv6 prefix while
+  launching an attack, making it easy to close such attacks.
-However, as 6to4 provides open decapsulation, and automatic tunneling
+o  Packets may pass through choke point(s), namely a 6to4 relay.  In
-is being deprecated [10], 6to4 provides an easy means, which would
+  addition to physical limitations, there could be some sort of
-not exist without it.
+  traffic rate limiting mechanisms that may be implemented, and
+  these could tone down the attack.
-==== Spoofing Traffic to 6to4 Nodes ====
+o  For every packet sent, at most one reply packet is generated:
+  There is no amplification factor.
-ATTACK DESCRIPTION
+Some of the mitigation methods for such attacks are as follows:
-The attacker - a malicious IPv4 or IPv6 node - can send packets that
+.  Ingress filtering in the IPv4 Internet to prevent packets with a
-are difficult to trace (e.g., due to spoofing or going through a
+    spoofed IPv4 source from being transmitted.  As the relay checks
-relay) to a 6to4 node.  This can be used e.g., to accomplish a DoS
+    that the 6to4 address embeds the IPv4 address, no spoofing can be
-attack.
+    achieved unless IPv4 addresses can be spoofed.  However, this
+    would probably be an unfeasible requirement.
-The IPv6 and IPv4 addresses of the packets will be similar to the
+.  Security checks in the 6to4 relay.  The 6to4 relay must drop
-following:
+    traffic (from 6to4 nodes, or IPv4 nodes) with non-6to4 addresses
+    as the source address, or for which the source IPv4 address does
+    not match the address embedded in the source IPv6 address.
+COMPARISON TO SITUATION WITHOUT 6to4
+Compared to Section 4.1.2, which describes more serious threats, this
+threat appears to be slightly more manageable.  If the relays perform
+proper decapsulation checks, the spoofing can only be achieved, to a
+to4 source address, when the IPv4 address is spoofable as well.
+==== Reflecting Traffic to Native IPv6 Nodes ====
+ATTACK DESCRIPTION
+These reflection attacks are similar to that involving 6to4 routers,
+as described in Section 4.1.3.  Traffic may be reflected off native
+IPv6 nodes, or off 6to4 nodes.  The attack can be initiated by one of
+the following:
-src_v6 = 2001:db8::1      (forged address)
+o  Native IPv6 nodes.  These nodes can send invalid traffic with
-dst_v6 = 2002:0900:0002::1 (valid address)
+  spoofed native IPv6 addresses to valid 6to4 nodes.  Replies from
-src_v4 = 8.0.0.1          (valid or forged address)
+  the 6to4 nodes are part of a reflection attack.
-dst_v4 = 9.0.0.2          (valid address, matches dst_v6)
-For attacks launched from a native IPv6 node, the src_v4 will be the
-address of the relay through which the traffic will reach the 6to4
-node.  From IPv4 nodes, src_v4 can be either a spoofed source address
-or the real one.
-The 6to4 router receives these packets from 8.0.0.1, decapsulates
+o  IPv4 nodes.  These nodes can send traffic with native IPv6 source
-them, discards the IPv4 header containing the source address 8.0.0.1,
+  addresses (encapsulated by the IPv4 node itself into a protocol-41
-and processes them as normal (the attacker has guessed or obtained
+  packet) to 6to4 nodes.  Replies from the 6to4 nodes are part of a
-"dst_v6" by using one of a number of techniques).
+  reflection attack.
-This is a DoS attack on 6to4 nodes.
+o  6to4 nodes.  These nodes can perform attacks similar to those by
+  IPv4 nodes, but this would require spoofing of the source address
+  at the 6to4 site before encapsulation, which is likely to be
+  difficult.
-This attack is similar to those shown in [11].
+When launched from a native IPv6 node, the traffic goes through 6to4
+relays twice, both before and after the reflection; when launched
+from a 6to4/IPv4 node, the traffic goes through a relay only after
+the reflection.
 EXTENSIONS
-Replies to the traffic will be directed to the src_v6 address,
+A distributed reflection DoS can be performed if a large number of
-resulting in 6to4 nodes participating in a reflection DoS.  This
+native IPv6 nodes or IPv4/6to4 nodes are involved in sending spoofed
-attack is described in more detail in Section 4.2.3.  The replies
+traffic with the same source IPv6 address.
-(e.g., TCP SYN ACK, TCP RST, ICMPv6 Echo Reply, input sent to UDP
-echo service, ICMPv6 Destination Unreachable) are sent to the victim
-(src_v6), above.  All the traces from the original attacker (src_v4)
-have been discarded.  These return packets will go through a relay.
-Certain 6to4 networks may have a trivial ACL (Access Control List)
-based firewall that allows traffic to pass through if it comes from
-particular source(s).  Such a firewalling mechanism can be bypassed
-by address spoofing.  This attack can therefore be used for trivial
-ACL avoidance as well.  These attacks might be hampered because the
-replies from the 6to4 node to the spoofed address will be lost.
 THREAT ANALYSIS AND SOLUTIONS/MITIGATION METHODS
-The Denial-of-Service attack based on traffic spoofing is not new;
+Some of the mitigation methods for such attacks are as follows:
-the only twists come from the fact that traces of an attack are more
-easily lost, and that spoofing the IPv6 address is possible even to
-those who are unable to do so in their current networks.  The 6to4
-router typically does not log IPv4 addresses (as they would be
-treated as L2 addresses), and thus the source of the attack (if
-launched from an IPv4 node) is lost.  Because traces to the src_v4
-address are easily lost, these attacks can also be launched from IPv4
-nodes whose connections are ingress-filtered.
+.  Attacks from the native IPv6 nodes could be stopped by
+    implementing ingress filtering in the IPv6 Internet; hopefully
+    this will become commonplace, but past experience of IPv4 ingress
+    filtering deployment (or lack thereof) does not promise much.
+.  Two measures are needed to stop or mitigate the attacks from IPv4
+    nodes: 1) Implementing ingress filtering in the IPv4 internet,
+    and 2) logging IPv4 source addresses in the 6to4 router.
+.  Attacks from 6to4 nodes in other sites can be stopped if the 6to4
+    routers in those sites implement egress filtering.  This could be
+    done by those sites, but the sites that are most likely to be
+    abused are typically also those most likely to neglect installing
+    appropriate filtering at their edges.
+.  The traffic passes through one or two relays, and traffic rate
+    limiting in the 6to4 relays might help tone down the reflection
+    attack.
+COMPARISON TO SITUATION WITHOUT 6to4
-However, often this is not a real factor, as usually the attackers
+Even though there are means to mitigate it, the attack is still
-are just zombies and real attackers may not even care whether the
+rather efficient, especially when used by native IPv6 nodes with
-unspoofed source address is discovered.
+spoofed addresses.  Using 6to4 relays and routers could easily take
+down the 6to4 relay system and/or provide an easy means for traffic
+laundering.  However, if the attack is intended to DoS the victim,
+this can be achieved more smoothly by doing it directly (as the
+source address spoofing was available as well).
-Malicious native IPv6 nodes could be caught easily if ingress
+Therefore, the threat to the availability and stability of the 6to4
-filtering was enabled everywhere in the IPv6 Internet.
+relay system itself seems to be higher than to the native IPv6
+Internet.
-These attacks are easy to perform, but the extent of harm is limited:
+==== Local IPv4 Broadcast Attack ====
-o  For every packet sent, at most one reply packet is generated:
+This attack is similar to the ones employed against 6to4 routers, as
-  there is no amplification factor.
+described in Section 4.1.4.  There are slight differences with regard
+to the source of the attacks.  This attack can be initiated by:
-o  Attack packets, if initiated from an IPv6 node, will pass through
+o  native IPv6 nodes that may send traffic to the relay's subnet
-  choke point(s), namely a 6to4 relay; in addition to physical
+   broadcast address, and
-   limitations, these could implement some form of 6to4-site-specific
-  traffic limiting.
-On the other hand, a variety of factors can make the attacks serious:
+o  IPv4 nodes that may send traffic with a spoofed source IP address
+  (to be the relay's broadcast address) to elicit replies (e.g.,
+  ICMPv6 Hop Limit Exceeded) from the 6to4 relay to its local nodes.
-o  The attacker may have the ability to choose the relay, and he
+The first approach is more dangerous than those in Section 4.1.4
-  might employ the ones best suited for the attacks.  Also, many
+because it can be initiated by any IPv6 node (allowed to use the
-  relays use 192.88.99.1 [3] as the source address, making tracing
+relay); the approach is not limited to local users.
-  even more difficult (also see Section 4.2.6).
-o  The relay's IPv4 address may be used as a source address for these
+The second approach is trickier and not really useful.  For it to
-  attacks, potentially causing a lot of complaints or other actions,
+succeed, the relay would have to accept native source addresses over
-  as the relay might seem to be the source of the attack (see
+the 6to4 pseudo-interface (we did not assume this check was
-  Section 4.2.6 for more).
+implemented), as if coming from another relay, triggering an ICMPv6
+message to the relay's local IPv4 subnet.  The former method is more
+lucrative.
-Some of the mitigation methods for such attacks are as follows:
+EXTENSIONS
-.  Ingress filtering in the native IPv6 networks to prevent packets
+None.
-    with spoofed IPv6 sources from being transmitted.  This would,
-    thus, make it easy to identify the source of the attack.
-    Unfortunately, it would depend on significant (or even complete)
-    ingress filtering everywhere in other networks; while this is
-    highly desirable, it may not be feasible.
-.  Security checks in the 6to4 relay.  The 6to4 relay must drop
+THREAT ANALYSIS AND SOLUTIONS/MITIGATION METHODS
-    traffic (from the IPv6 Internet) that has 6to4 addresses as
-    source address; see Section 5 for more detail.  This has very
-    little cost.
-However, these mitigation methods do not address the case of an IPv4
+The threat is restricted to the relay's local subnet and is fixed by
-node sending encapsulated IPv6 packets.
+tightening the 6to4 security checks.
-No simple way to prevent such attacks exists, and longer-term
+COMPARISON TO SITUATION WITHOUT 6to4
-solutions, such as ingress filtering [12] or itrace [13], would have
+This scenario is caused by 6to4, but fortunately the issue is not
+serious.
+==== Theft of Service ====
+ATTACK DESCRIPTION
+The 6to4 relay administrators would often want to use some policy to
+limit the use of the relay to specific 6to4 sites and/or specific
+IPv6 sites.
-to be deployed in both IPv6 and IPv4 networks to help identify the
+The policy control is usually enacted by applying restrictions to
-source of the attacks.  A total penetration is likely impossible.
+where the routing information for 2002::/16 and/or 192.188.99.0/24
-(Note that itrace work has been discontinued, as of this writing in
+(if the anycast address used [3]) will spread.
-July 2004.)
-COMPARISON TO SITUATION WITHOUT 6to4
+Some users may be able to use the service regardless of these
+controls, by
-Traffic spoofing is not a new phenomenon in IPv4 or IPv6.  6to4 just
+o  configuring the address of the relay using its IPv4 address
-makes it easier: Anyone can, regardless of ingress filtering, spoof a
+  instead of 192.88.99.1, or
-native IPv6 address to a 6to4 node, even if "maximal security" would
-be implemented and deployed.  Losing trails is also easier.
-Therefore, depending on how much one assumes ingress filtering is
+o  using the routing header to route IPv6 packets to reach specific
-deployed for IPv4 and IPv6, this could be considered either a very
+to4 relays.  (Other routing tricks, such as using static routes,
-serious issue or close to irrelevant compared to the IP spoofing
+  may also be used.)
-capabilities without 6to4.
-==== Reflecting Traffic to 6to4 Nodes ====
+EXTENSIONS
-ATTACK DESCRIPTION
+None.
-Spoofed traffic (as described in Section 4.2.2) may be sent to native
+THREAT ANALYSIS AND SOLUTIONS/MITIGATION METHODS
-IPv6 nodes to perform a reflection attack against 6to4 nodes.
-The spoofed traffic is sent to a native IPv6 node, either from an
+Attempts to use the relay's IPv4 address instead of 192.88.99.1 can
-IPv4 node (through a 6to4 relay) or from a native IPv6 node (unless
+be mitigated in the following ways:
-ingress filtering has been deployed).  With the former, the sent
-packets would resemble the following:
-src_v6 = 2002:1234:1234::1 (forged address of the target 6to4 node)
+.  IPv4 domains should prevent use of the actual IPv4 address of the
-dst_v6 = 2002:0900:0002::1 (valid address)
+    relay instead of 192.88.99.1.
-src_v4 = 8.0.0.1           (valid or invalid address)
-dst_v4 = 9.0.0.2          (valid address, matches dst_v6)
-Note that an attack through the relay is prevented if the relay
+.  Usage of access lists in the 6to4 relay to limit access.  This is
-implements proper decapsulation security checks (see Section 5 for
+    only feasible if the number of IP networks the relay is supposed
-details) unless the IPv4 node can spoof the source address to match
+    to serve is relatively low.
-src_v6.  Similarly, the attack from native IPv6 nodes could be
-prevented by global ingress filtering deployment.
-These attacks can be initiated by native IPv6, IPv4, or 6to4 nodes.
+.  The 6to4 relay should filter out arriving tunneled packets with
+    protocol 41 (IPv6) that do not have 192.88.99.1 as the
+    destination address.
-EXTENSIONS
+The other threat, of using routing tricks in the IPv6 networks to
+reach the 6to4 relay, has similar solutions:
-A distributed Reflection DoS can be performed if a large number of
+.  Usage of access lists in the relay to limit access.
-nodes are involved in sending spoofed traffic with the same src_v6.
+.  Filtering out the packets with a routing header (although this
+    may have other implications).
+.  Monitoring the source addresses going through the relay to
+    detect, e.g., peers setting up static routes.
+Routing Header is not specific to 6to4.  The main thing one could do
+with it here would be to select the relay.  Some generic threats
+about routing header use are described in [11].
+As this threat does not have implications for anything other than the
+organization providing 6to4 relay, it is not analyzed any further.
+COMPARISON TO SITUATION WITHOUT 6to4
+These threats are specific to 6to4 relays (or in general anycast
+services) and do not exist in networks without 6to4.
-Malicious 6to4 nodes can also (try to) initiate this attack by
+==== Relay Operators Seen as Source of Abuse ====
-bouncing traffic off 6to4 nodes in other 6to4 sites.  However, this
-attack may not be possible, as the 6to4 router (in the site from
-which the attack is launched) will filter packets with forged source
-addresses (with security checks mentioned in Section 5).
-THREAT ANALYSIS AND SOLUTIONS/MITIGATION METHODS
+ATTACK DESCRIPTION
-In this case, the reverse traffic comprises replies to the messages
+Several attacks use 6to4 relays to anonymize the traffic; this often
-received by the 6to4 nodes.  The attacker has less control on the
+results in packets being tunneled from the relay to a supposedly-6to4
-packet type, and this would inhibit certain types of attacks.  For
+site.
-example, flooding a 6to4 node with TCP SYN packets will not be
-possible (but e.g., a SYN-ACK or RST would be).
-These attacks may be mitigated in various ways:
+However, as was pointed out in Section 4.2, the IPv4 source address
+used by the relay could, on a cursory look, be seen as the source of
+these "protocol-41" attacks.
-o  Implementation of ingress filtering by the IPv4 service providers.
+This could cause a number of concerns for the operators deploying
-  This would prevent forging of the src_v4 address and help in
+to4 relay service, including the following:
-  closing down on the culprit IPv4 nodes.  Note that it will be
-  difficult to shut down the attack if a large number of IPv4 nodes
-  are involved.
-  These attacks may be also be stopped at the 6to4 sites if the
+o  being contacted a lot (via email, phone, fax, or lawyers) on
-  culprit src_v4 address is identified, and if it is constant, by
+   suspected "abuse",
-  filtering traffic from this address.  Note that it would be
-  difficult to implement this method if appropriate logging were not
-  done by the 6to4 router or if a large number of 6to4 nodes, and/or
-   a large number of IPv4 nodes were participating in the attack.
-  Unfortunately, because many IPv4 service providers don't implement
+o  having the whole IPv4 address range rejected as a source of abuse
-   ingress filtering, for whatever reasons, this may not be a
+   or spam, causing outage to other operations as well, or
-  satisfactory solution.
-o  Implementation of ingress filtering by all IPv6 service providers
+o  causing the whole IPv4 address range to be blacklisted in some
-  would eliminate this attack, because src_v6 could not be spoofed
+   "spammer databases", if the relay were used for those purposes.
-  as a 6to4 address.  However, expecting this to happen may not be
-   practical.
-o  Proper implementation of security checks (see Section 5) both at
+This threat seems slightly similar to the outburst of SMTP abuse
-  the 6to4 relays and routers would eliminate an attack launched
+caused by open relays but is more generic.
-  from an IPv4 node, except when the IPv4 source address was also
-  spoofed -- but then the attacker would have been able to attack
-  the ultimate destination directly.
-o  Rate limiting traffic at the 6to4 relays.  In a scenario where
+EXTENSIONS
-  most of the traffic is passing through few 6to4 relays, these
-  relays can implement traffic rate-limiting features and rate-limit
-  the traffic from 6to4 sites.
+None.
+THREAT ANALYSIS AND SOLUTIONS/MITIGATION METHODS
+This problem can be avoided (or, really, "made someone else's
+problem") by using the 6to4 anycast address in 192.88.99.0/24 as the
+source address.  Blacklisting or rejecting this should not cause
+problems to the other operations.
+Further, when someone files complaints to the owner of
+.88.99.0/24, depending on which registry they are querying, they
+might get, for example:
-COMPARISON TO SITUATION WITHOUT 6to4
+o  knowledge that this is a special IANA address block, with no real
+  contact person,
-This particular attack can be mitigated by proper implementation of
+o  knowledge that this is a special address block for RFC 3068, or
-security checks (which is quite straightforward) and ingress
-filtering; when ingress filtering is not implemented, it is typically
-easier to attack directly than through reflection -- unless "traffic
-laundering" is an explicit goal of the attack.  Therefore, this
-attack does not seem very serious.
-==== Local IPv4 Broadcast Attack ====
+o  knowledge that this is a special address block for RFC 3068, and
+  that there are multiple entries by relay operators in the
+  database.
-ATTACK DESCRIPTION
+Any of these, at least when processed by a human, should show that
+the 6to4 relay is in fact innocent.  Of course, this could result in
+reports going to the closest anycast 6to4 relay as well, which had
+nothing to do with the incident.
-This threat is applicable if the 6to4 router does not check whether
+However, the widespread usage of 192.88.99.1 as the source address
-the IPv4 address to which it tries to send encapsulated IPv6 packets
+may make it more difficult to disambiguate the relays, which might be
-is a local broadcast address or a multicast address.
+a useful feature for debugging purposes.
-This threat is described in the specification [1], and implementing
+COMPARISON TO SITUATION WITHOUT 6to4
-the checks eliminates this threat.  However, as checks have not been
-widely implemented, the threat is included here for completeness.
-There practically two kinds of attacks: when a local 6to4 user tries
+This threat is caused by 6to4 deployment but can be avoided, at least
-to send packets to the address corresponding to the broadcast
+in the short-term, by using 192.88.99.1 as the source address.
-address, and when someone is able to do so remotely.
-In the first option, assume that 9.0.0.255 is the 6to4 router's
+=== Attacks on IPv4 Internet ===
-broadcast address.  After receiving the packet with a destination
-address like "2002:0900:00ff::bbbb" from a local 6to4 node, if the
-router doesn't check the destination address for subnet broadcast, it
-would send the encapsulated protocol-41 packet to 9.0.0.255.  This
-would be received by all nodes in the subnet, and the responses would
-be directed to the 6to4 router.
-Malicious sites may also embed forged 6to4 addresses in the DNS, use
+There are two types of attacks on the IPv4 internet - spoofed
-of which by a 6to4 node would result in a local broadcast by the 6to4
+traffic, and reflection.  These can be initiated by native IPv6
-router.  One way to perform this attack would be to send an HTML mail
+nodes, 6to4 nodes, and IPv4 nodes.
-containing a link to an invalid URL (for example,
-http://[2002:0900:00ff::bbbb]/index.html) to all users in a 6to4
-technology based network.  Opening of the mail simultaneously would
-result in a broadcast storm.
-The second kind of attack is more complex: The attack can be
+Attacks initiated by IPv4 nodes that send spoofed traffic, which
-initiated by IPv4 nodes not belonging to the local network as long as
+would not use the 6to4 infrastructure, are considered out of the
-they can send traffic with invalid (for example 2002:0900:00ff::bbbb)
+scope of this document.  6to4 infrastructure may be used in
-source address.  The 6to4 router has to respond to the traffic by
+reflection attacks initiated by IPv4 nodes.
-sending ICMPv6 packets back to the source, (e.g., Hop Limit Exceeded
-or Destination Unreachable).  The packet would be as follows:
+It is difficult for these attacks to be effective, as the traffic
+sent out will be IPv6-in-IPv4.  Such traffic will be rejected by most
+IPv4 nodes unless they have implemented some sort of IPv6-in-IPv4
+tunneling.
+=== Summary of the Attacks ===
+Columns:
+o  Section number.  The section that describes the attack.
+o  Attack name.
-src_v6 = 2002:0800:00ff::bbbb (broadcast address of the router)
+o  Initiator.  The node that initiates the attack.
-dst_v6 = 2002:0800:0001::0001 (valid non-existent address)
-This is a DoS attack.
+  *  I_4 - IPv4 node
-EXTENSIONS
+  *  I_6 - native IPv6 node
-The attacks could also be directed at non-local broadcast addresses,
+  *  6to4 - 6to4 node
-but these would be so-called "IPv4 directed broadcasts", which have
-(luckily enough) already been extensively blocked in the Internet.
-THREAT ANALYSIS AND SOLUTIONS/MITIGATION METHODS
+  *  * - All of the above
-The attack is based on the premise that the 6to4 router has to send a
+o  Victim.  The victim node
-packet that embeds an invalid IPv4 address to an IPv6 address.  Such
-an attack is easily thwarted by ensuring that the 6to4 router does
-not transmit packets to invalid IPv4 addresses.  Specifically,
-traffic should not be sent to broadcast or multicast IPv4 addresses.
-COMPARISON TO SITUATION WITHOUT 6to4
+  *  I_4 - IPv4 node
-The first threat is similar to what is already possible with IPv4,
+  *  I_6 - native IPv6 node
-but IPv6 does not have broadcast addresses.
-The second, a more complex threat, is, similarly, also available in
+  *  6to4 - 6to4 node
-IPv4.
-In consequence, the security does not seem to be significantly worse
+  *  Relay - 6to4 relay
-than with IPv4, and even that is restricted to the site(s) with 6to4
-implementations that haven't been secured as described in Section 5.
-=== Attacks on Native IPv6 Internet ===
+  *  Router - 6to4 router
-This section describes attacks against native IPv6 Internet that
+o  ToA.  Type of Attack
-somehow leverage 6to4 architecture.  Attacks against 6to4 nodes were
-described in the previous section.
-to4 and IPv4 nodes can access native IPv6 nodes through the 6to4
+  *  D - DoS
-relay routers.  Thus, the 6to4 relays play a crucial role in any
-attack on native IPv6 nodes by IPv4 nodes or 6to4 nodes.
-to4 relays have only one significant security check they must
+  *  R - Reflection DoS
-perform for general safety: When decapsulating IPv4 packets, they
-check that 2002:V4ADDR::/48 and V4ADDR match in the source address.
-If this is not done, several threats become more serious; in the
-following analysis, it is assumed that such checks are implemented.
+  *  T - Theft of Service
+o  Fix.  Specified who is responsible for fixing the attack.
+  *  6 - The 6to4 developer and/or operator can completely mitigate
+      this attack.
+  *  6* - The 6to4 developer and/or operator can partially mitigate
+      this attack.
+  *  E - This threat cannot be fixed by the 6to4 developer or the
+to4 operator.
+Summary of attacks on a 6to4 network:
-to4 relay should not relay packets between 6to4 addresses.  In
+  +-------+----------------------+---------+----------+-----+-----+
-particular, packets decapsulated from 6to4 routers should not be
+  | Sec  | Attack name          |Initiator| Victim  | ToA | Fix |
-encapsulated toward 6to4 routers, as described in Section 5.
+  +-------+----------------------+---------+----------+-----+-----+
-Similarly, packets with 6to4 source and destination addresses sent
+  | 4.1.1 | Attacks with ND      |  I_4    |  Router  |  D  |  6  |
-from IPv6 nodes should not be relayed.  It is not clear whether this
+  +-------+----------------------+---------+----------+-----+-----+
-kind of check is typically implemented.  The attacks described below
+  | 4.1.2 | Spoofing Traffic    | I_4,I_6 |  6to4   |  D  |  E  |
-assume that such checks are not implemented.
+  +-------+----------------------+---------+----------+-----+-----+
+  | 4.1.3 | Reflection Attacks  |  *    |  6to4  |  R  |  6* |
+  +-------+----------------------+---------+----------+-----+-----+
+  | 4.1.4 | Local IPv4 Broadcast |  *    |  Router  |  D  |  6  |
+  +-------+----------------------+---------+----------+-----+-----+
-==== Attacks with ND Messages ====
+                              Figure 9
-These attacks are the same as those employed against 6to4 routers, as
+Summary of attacks on the native IPv6 internet:
-described in Section 4.1.1.
-==== Spoofing Traffic to Native IPv6 Node ====
+  +-------+----------------------+---------+----------+-----+-----+
+  | Sec  | Attack name          |Initiator|  Victim  | ToA | Fix |
+  +-------+----------------------+---------+----------+-----+-----+
+  | 4.2.1 | Attacks with ND      |  I_4  |  Relay  |  D  |  6  |
+  +-------+----------------------+---------+----------+-----+-----+
+  | 4.2.2 | Spoofing Traffic     | I_4,6to4|    I_6  |  D  |  6* |
+  +-------+----------------------+---------+----------+-----+-----+
+  | 4.2.3 | Reflection Attacks  |    *    |    I_6  |  R  |  6* |
+  +-------+----------------------+---------+----------+-----+-----+
+  | 4.2.4 | Local IPv4 Broadcast |    *    |  Relay  |  D  |  6  |
+  +-------+----------------------+---------+----------+-----+-----+
+  | 4.2.5 | Theft of Service    |  6to4  |  Relay  |  T  |  6  |
+  +-------+----------------------+---------+----------+-----+-----+
+  | 4.2.6 | Relay Operators ...  |    -    |    -    |  D  |  1) |
+  +-------+----------------------+---------+----------+-----+-----+
-ATTACK DESCRIPTION
+                              Figure 10
-The attacker - a malicious IPv4 or 6to4 node - can send packets with
+Notes:
-a spoofed (or not spoofed) 6to4 source address to a native IPv6 node
-to accomplish a DoS attack.
-The threat is similar to that involving 6to4 routers, as described in
+) This attack is a side-effect of the other attacks and thus does
-Section 4.1.2.
+not have any Initiator, Victim, and Fix.  It is a Denial of Service
+attack not on the network but on the organization in-charge of the
+relay.
-The difference here is that the attack is initiated by IPv4 or 6to4
+Summary of attacks on IPv4 internet:
-nodes.  The source IPv6 address may or may not be spoofed.  Note
-that, as mentioned above, the relay is assumed to correlate the
-source IPv4 address with the address embedded in the source IPv6
-address during decapsulation.  A side effect is that all spoofed
-traffic will have a 6to4 source address.
-EXTENSIONS
+  +-------+----------------------+---------+----------+-----+-----+
+  | Sec  | Attack name          |Initiator|  Victim  | ToA | Fix |
+  +-------+----------------------+---------+----------+-----+-----+
+  |  4.3  | Spoofing Traffic    |    *    |    I_4  |  D  |  6* |
+  +-------+----------------------+---------+----------+-----+-----+
+  |  4.3  | Reflection Attacks  |    *    |    I_4  |  R  |  6* |
+  +-------+----------------------+---------+----------+-----+-----+
-Spoofed traffic may also be sent to native IPv6 nodes either by other
+                              Figure 11
-native IPv6 nodes, by 6to4 nodes, or by malicious IPv4 nodes to
-conduct Reflection DoS on either native IPv6 nodes or 6to4 nodes.
-Certain native IPv6 networks may have a trivial ACL (Access Control
-List) based firewall that allows traffic to pass through if it comes
-from particular source(s).  Such a firewalling mechanism can be
-bypassed by address spoofing.  This attack can therefore be used for
-trivial ACL avoidance as well.  These attacks might be hampered by
-lost replies from the 6to4 node to the spoofed address.
+== Implementing Proper Security Checks in 6to4 ==
+This section describes several ways to implement the security checks
+required or implied by the specification [1] or augmented by this
+memo.  These do not, in general, protect against most of the threats
+listed above in the "Threat Analysis" section.  They are only
+prerequisites for a relatively safe and simple 6to4 implementation.
+Note that, in general, the 6to4 router or relay does not know whether
+it is acting as a router or relay.  It would be possible to include a
+toggle to specify the behaviour, to be used when, e.g., the interface
+is brought up, but as of February 2004, no implementations were known
+to do that.  Therefore, the checks are described as that which works
+independently of whether the node is a router or relay.
+=== Encapsulating IPv6 into IPv4 ===
+The checks described in this section are to be performed when
+encapsulating IPv6 into IPv4.
+The encapsulation rules are mainly designed to keep implementors from
+"shooting themselves in the foot."  For example, the source address
+check would verify that the packet will be acceptable to the
+decapsulator, or the sanity checks would ensure that addresses
+derived from private addresses are not used (which would be equally
+unacceptable).
+ src_v6 and dst_v6 MUST pass ipv6-sanity checks (see below) else drop
+ if prefix (src_v6) == 2002::/16
+    ipv4 address embedded in src_v6 MUST match src_v4
+ else if prefix (dst_v6) == 2002::/16
+        dst_v4 SHOULD NOT be assigned to the router
+ else
+    drop
+        /* we somehow got a native-native ipv6 packet */
+ fi
+ accept
+=== Decapsulating IPv4 into IPv6 ===
+The checks described in this section are to be performed when
+decapsulating IPv4 into IPv6.  They will be performed in both the
+to4 router and relay.
-THREAT ANALYSIS AND SOLUTIONS/MITIGATION METHODS
+ src_v4 and dst_v4 MUST pass ipv4-sanity checks, else drop
+ src_v6 and dst_v6 MUST pass ipv6-sanity checks, else drop
+ if prefix (dst_v6) == 2002::/16
+    ipv4 address embedded in dst_v6 MUST match dst_v4
+        if prefix (src_v6) == 2002::/16
+            ipv4 address embedded in src_v6 MUST match src_v4
+            dst_v4 SHOULD be assigned to the router
+        fi
+ elif prefix (src_v6) == 2002::/16
+    ipv4 address embedded in src_v6 MUST match src_v4
+    dst_v4 SHOULD be assigned to the router (see notes below)
-The Denial-of-Service attack based on traffic spoofing is not new;
+  else
-the only twist is that traces of an attack are more easily lost.  The
+    drop
-to4 relay typically does not log IPv4 addresses (as they would be
+        /* the we somehow got a native-native ipv6 packet */
-treated as L2 addresses), and thus the source of the attack (if
+  fi
-launched from an IPv4 node) is lost.  Because traces to the src_v4
+ accept
-address are easily lost, these attacks can also be launched from IPv4
-nodes whose connections are ingress-filtered.
-These attacks might not be easy to perform and might be hampered
+=== IPv4 and IPv6 Sanity Checks ===
-because of the following:
-o  It might be difficult to launch such attacks from 6to4 nodes
+The encapsulation and decapsulation checks include certain sanity
-  because even if the 6to4 routers allow spoofing of the source IPv6
+checks for both IPv4 and IPv6.  These are described here in detail.
-  address, the 6to4 relay would check whether the source V4ADDR is
-  the same as the one embedded in the source IPv6 address.  Thus,
-to4 nodes will be forced to use the correct IPv6 prefix while
-  launching an attack, making it easy to close such attacks.
-o  Packets may pass through choke point(s), namely a 6to4 relay.  In
+==== IPv4 ====
-  addition to physical limitations, there could be some sort of
-  traffic rate limiting mechanisms that may be implemented, and
-  these could tone down the attack.
-o  For every packet sent, at most one reply packet is generated:
+IPv4 address MUST be a global unicast address, as required by the
-  There is no amplification factor.
+to4 specification.  The disallowed addresses include those defined
+in [14], and others widely used and known not to be global.  These
+are
-Some of the mitigation methods for such attacks are as follows:
+o  0.0.0.0/8 (the system has no address assigned yet)
-.  Ingress filtering in the IPv4 Internet to prevent packets with a
+o  10.0.0.0/8 (private)
-    spoofed IPv4 source from being transmitted.  As the relay checks
-    that the 6to4 address embeds the IPv4 address, no spoofing can be
-    achieved unless IPv4 addresses can be spoofed.  However, this
-    would probably be an unfeasible requirement.
-.  Security checks in the 6to4 relay.  The 6to4 relay must drop
+o  127.0.0.0/8 (loopback)
-    traffic (from 6to4 nodes, or IPv4 nodes) with non-6to4 addresses
-    as the source address, or for which the source IPv4 address does
-    not match the address embedded in the source IPv6 address.
-COMPARISON TO SITUATION WITHOUT 6to4
+o  172.16.0.0/12 (private)
-Compared to Section 4.1.2, which describes more serious threats, this
+o  192.168.0.0/16 (private)
-threat appears to be slightly more manageable.  If the relays perform
-proper decapsulation checks, the spoofing can only be achieved, to a
-to4 source address, when the IPv4 address is spoofable as well.
+o  169.254.0.0/16 (IANA Assigned DHCP link-local)
+o  224.0.0.0/4 (multicast)
+o  240.0.0.0/4 (reserved and broadcast)
+In addition, the address MUST NOT be any of the system's broadcast
+addresses.  This is especially important if the implementation is
+made so that it can
+o  receive and process encapsulated IPv4 packets arriving at its
+  broadcast addresses, or
-==== Reflecting Traffic to Native IPv6 Nodes ====
+o  send encapsulated IPv4 packets to one of its broadcast addresses.
-ATTACK DESCRIPTION
+==== IPv6 ====
-These reflection attacks are similar to that involving 6to4 routers,
+IPv6 address MUST NOT be
-as described in Section 4.1.3.  Traffic may be reflected off native
-IPv6 nodes, or off 6to4 nodes.  The attack can be initiated by one of
-the following:
-o  Native IPv6 nodes.  These nodes can send invalid traffic with
+o  0::/16 (compatible, mapped addresses, loopback, unspecified, ...)
-  spoofed native IPv6 addresses to valid 6to4 nodes.  Replies from
-  the 6to4 nodes are part of a reflection attack.
-o  IPv4 nodes.  These nodes can send traffic with native IPv6 source
+o  fe80::/10 (link-local)
-  addresses (encapsulated by the IPv4 node itself into a protocol-41
-  packet) to 6to4 nodes.  Replies from the 6to4 nodes are part of a
-  reflection attack.
-o  6to4 nodes.  These nodes can perform attacks similar to those by
+o  fec0::/10 (site-local)
-  IPv4 nodes, but this would require spoofing of the source address
-  at the 6to4 site before encapsulation, which is likely to be
-  difficult.
-When launched from a native IPv6 node, the traffic goes through 6to4
+o  ff00::/8 (any multicast)
-relays twice, both before and after the reflection; when launched
-from a 6to4/IPv4 node, the traffic goes through a relay only after
-the reflection.
-EXTENSIONS
+Note: Only link-local multicast would be strictly required, but it is
+believed that multicast with 6to4 will not be feasible, so it has
+been disallowed as well.
-A distributed reflection DoS can be performed if a large number of
+In addition, it MUST be checked that equivalent 2002:V4ADDR::/48
-native IPv6 nodes or IPv4/6to4 nodes are involved in sending spoofed
+checks, where V4ADDR is any of the above IPv4 addresses, will not be
-traffic with the same source IPv6 address.
+passed.
-THREAT ANALYSIS AND SOLUTIONS/MITIGATION METHODS
+==== Optional Ingress Filtering ====
-Some of the mitigation methods for such attacks are as follows:
+In addition, the implementation in the 6to4 router may perform some
+form of ingress filtering (e.g., Unicast Reverse Path Forwarding
-.  Attacks from the native IPv6 nodes could be stopped by
+checks).  For example, if the 6to4 router has multiple interfaces, of
-    implementing ingress filtering in the IPv6 Internet; hopefully
+which some are "internal", receiving either IPv4 or IPv6 packets with
-    this will become commonplace, but past experience of IPv4 ingress
+source address belonging to any of these internal networks from the
-    filtering deployment (or lack thereof) does not promise much.
+Internet might be disallowed.
-.  Two measures are needed to stop or mitigate the attacks from IPv4
-    nodes: 1) Implementing ingress filtering in the IPv4 internet,
-    and 2) logging IPv4 source addresses in the 6to4 router.
+If these checks are implemented and enabled by default, it's
+recommended that there be a toggle to disable them if needed.
+==== Notes about the Checks ====
+The rule "dst_v4 SHOULD be assigned to the router" is not needed if
+the 6to4 router implementation only accepts and processes
+encapsulated IPv4 packets arriving to its unicast IPv4 addresses, and
+when the destination address is known to be a local broadcast
+address, it does not try to encapsulate and send packets to it.  (See
+Sections 4.1.4 and  4.2.4 about this threat.)
+Some checks, especially the IPv4/IPv6 Sanity Checks, could be at
+least partially implementable with system-level access lists, if one
+would like to avoid placing too many restrictions in the 6to4
+implementation itself.  This depends on how many hooks are in place
+for the access lists.  In practice, it seems that this could not be
+done effectively enough unless the access list mechanism is able to
+parse the encapsulated packets.
+== Issues in 6to4 Implementation and Use ==
+This section tries to give an overview of some of the problems 6to4
+implementations face, and the kind of generic problems the 6to4 users
+could come up with.
-.  Attacks from 6to4 nodes in other sites can be stopped if the 6to4
+=== Implementation Considerations with Automatic Tunnels ===
-    routers in those sites implement egress filtering.  This could be
-    done by those sites, but the sites that are most likely to be
-    abused are typically also those most likely to neglect installing
-    appropriate filtering at their edges.
-.  The traffic passes through one or two relays, and traffic rate
+There is a problem with multiple transition mechanisms if strict
-    limiting in the 6to4 relays might help tone down the reflection
+security checks are implemented.  This may vary a bit from
-    attack.
+implementation to implementation.
-COMPARISON TO SITUATION WITHOUT 6to4
+Consider three mechanisms using automatic tunneling: 6to4, ISATAP
+[15], and Automatic Tunneling using Compatible Addresses [4]
+(currently removed [10] but typically still supported).  All of these
+use IP-IP (protocol 41) [16] IPv4 encapsulation with, more or less, a
+pseudo-interface.
-Even though there are means to mitigate it, the attack is still
+When a router, which has any two of these enabled, receives an IPv4
-rather efficient, especially when used by native IPv6 nodes with
+encapsulated IPv6 packet
-spoofed addresses.  Using 6to4 relays and routers could easily take
-down the 6to4 relay system and/or provide an easy means for traffic
-laundering.  However, if the attack is intended to DoS the victim,
-this can be achieved more smoothly by doing it directly (as the
-source address spoofing was available as well).
-Therefore, the threat to the availability and stability of the 6to4
+src_v6 = 2001:db8::1
-relay system itself seems to be higher than to the native IPv6
+dst_v6 = 2002:1010:1010::2
-Internet.
+src_v4 = 10.0.0.1
+dst_v4 = 20.20.20.20
-==== Local IPv4 Broadcast Attack ====
+What can it do?  How should it decide which transition mechanism this
+belongs to; there is no "transition mechanism number" in the IPv6 or
+IPv4 header to signify this.  (This can also be viewed as a
+flexibility benefit.)
-This attack is similar to the ones employed against 6to4 routers, as
+Without any kind of security checks (in any of the implemented
-described in Section 4.1.4.  There are slight differences with regard
+methods), these often just "work", as the mechanisms aren't
-to the source of the attacks.  This attack can be initiated by:
+differentiated but handled in "one big lump".
-o  native IPv6 nodes that may send traffic to the relay's subnet
+Configured tunneling [4] does not suffer from this, as it is
-  broadcast address, and
+point-to-point and based on src_v6/dst_v6 pairs of both IPv4 and IPv6
+addresses, so the tunnel interface can be logically deduced.
-o  IPv4 nodes that may send traffic with a spoofed source IP address
+Solutions for this include 1) not using more than one automatic
-  (to be the relay's broadcast address) to elicit replies (e.g.,
+tunneling mechanism in a node and 2) binding different mechanisms to
-  ICMPv6 Hop Limit Exceeded) from the 6to4 relay to its local nodes.
+different IPv4 addresses.
-The first approach is more dangerous than those in Section 4.1.4
+=== A Different Model for 6to4 Deployment ===
-because it can be initiated by any IPv6 node (allowed to use the
-relay); the approach is not limited to local users.
-The second approach is trickier and not really useful.  For it to
+Even though this was already discussed in Section 4.1.2, it bears
-succeed, the relay would have to accept native source addresses over
+some additional elaboration, as it was the only problem that cannot
-the 6to4 pseudo-interface (we did not assume this check was
+be even partially solved using the current deployment model.  There
-implemented), as if coming from another relay, triggering an ICMPv6
+are some mitigation methods.
-message to the relay's local IPv4 subnet.  The former method is more
-lucrative.
+to4 routers receive traffic from non-6to4 ("native") sources via
+to4 relays.  6to4 routers have no way of matching the IPv4 source
+address of the relay with the non-6to4 IPv6 address of the source.
+Consequently, anyone can spoof any non-6to4 IPv6 address by sending
+traffic, encapsulated, directly to 6to4 routers.
+It could be possible to turn the deployment assumptions of 6to4
+around a bit to eliminate some threats caused by untrusted 6to4
+relays:
+o  Every dual-stack site (or even ISP) would be required to have its
+  own 6to4 relay.  (This assumes that IPv6-only is so far away that
+to4 would be retired by that point.)  That is, there would not be
+  third-party relays, and 2002::/16 and 192.88.99.0/24 routes would
+  not need to be advertised globally.
+o  The security implications of 6to4 use could be pushed back to the
+  level of trust inside the site or ISP (or their acceptable use
+  policies).  This is something that the sites and ISPs should
+  already be familiar with already.
+However, this presents a number of problems:
-EXTENSIONS
+This model would shift most of the burden of supporting 6to4 to IPv6
+sites that don't employ or use 6to4 at all, i.e., "those who deploy
+proper native dual-stack."  It could be argued that the deployment
+pain should be borne by 6to4 users, not by the others.
-None.
+The main advantage of 6to4 is easy deployment and free relays.  This
+would require that everyone the 6to4 sites wish to communicate with
+implement these measures.
-THREAT ANALYSIS AND SOLUTIONS/MITIGATION METHODS
+The model would not fix the "relay spoofing problem", unless
+everybody also deployed 6to4 addresses on the nodes (alongside with
+native addresses, if necessary), which would in turn change 6to4 to
+operate without relays completely.
-The threat is restricted to the relay's local subnet and is fixed by
+== Security Considerations ==
-tightening the 6to4 security checks.
-COMPARISON TO SITUATION WITHOUT 6to4
+This document discusses security considerations of 6to4.
-This scenario is caused by 6to4, but fortunately the issue is not
+Even if proper checks are implemented, there are a large number of
-serious.
+different security threats; these threats are analyzed in Section 4.
-==== Theft of Service ====
+There are mainly four classes of potential problem sources:
-ATTACK DESCRIPTION
+.  6to4 routers not being able to identify whether relays are
+    legitimate
-The 6to4 relay administrators would often want to use some policy to
+.  Wrong or impartially implemented 6to4 router or relay security
-limit the use of the relay to specific 6to4 sites and/or specific
+    checks
-IPv6 sites.
-The policy control is usually enacted by applying restrictions to
+.  6to4 architecture used to participate in DoS or reflected DoS
-where the routing information for 2002::/16 and/or 192.188.99.0/24
+    attacks or made to participate in "packet laundering", i.e.,
-(if the anycast address used [3]) will spread.
+    making another attack harder to trace
-Some users may be able to use the service regardless of these
+.  6to4 relays being subject to "administrative abuse" e.g., theft
-controls, by
+    of service or being seen as a source of abuse.
-o  configuring the address of the relay using its IPv4 address
+The first is the toughest problem, still under research.  The second
-  instead of 192.88.99.1, or
+can be fixed by ensuring the correctness of implementations; this is
+important.  The third is also a very difficult problem, impossible to
-o  using the routing header to route IPv6 packets to reach specific
+solve completely; therefore it is important to be able to analyze
-to4 relays.  (Other routing tricks, such as using static routes,
+whether this results in a significant increase of threats.  The
-  may also be used.)
+fourth problem seems to have feasible solutions.
-EXTENSIONS
+These are analyzed in detail in "Threat Analysis", in Section 4.
-None.
+== Acknowledgments ==
-THREAT ANALYSIS AND SOLUTIONS/MITIGATION METHODS
+Some issues were first brought up by Itojun Hagino in [17], and Alain
+Durand introduced one specific problem at IETF51 in August 2001
+(though there was some discussion on the list prior to that); these
+two gave the authors the push to start looking into the details of
+securing 6to4.
-Attempts to use the relay's IPv4 address instead of 192.88.99.1 can
+Alexey Kuznetsov brought up the implementation problem with IPv6
-be mitigated in the following ways:
+martian checks.  Christian Huitema formulated the rules that rely on
+to4 relays using only anycast.  Keith Moore brought up the point
+about reduced flexibility.  Brian Carpenter, Tony Hain, and Vladislav
+Yasevich are acknowledged for lengthy discussions.  Alain Durand
+reminded the authors about relay spoofing problems.  Brian Carpenter
+reminded the authors about the BGP-based 6to4 router model.
+Christian Huitema gave a push for a more complete threat analysis.
+Itojun Hagino spelled out the operators' fears about 6to4 relay
-.  IPv4 domains should prevent use of the actual IPv4 address of the
+abuse.  Rob Austein brought up the idea of a different 6to4
-    relay instead of 192.88.99.1.
+deployment model.
+In the latter phase, discussions with Christian Huitema, Brian
+Carpenter, and Alain Durand were helpful when improving the document.
+David Malone, Iljitsch van Beijnum, and Tim Chown gave feedback on
+the document.
+== References ==
+=== Normative References ===
+[1]  Carpenter, B. and K. Moore, "Connection of IPv6 Domains via IPv4
+    Clouds", RFC 3056, February 2001.
-.  Usage of access lists in the 6to4 relay to limit access.  This is
+[2]  Bradner, S., "Key words for use in RFCs to Indicate Requirement
-    only feasible if the number of IP networks the relay is supposed
+    Levels", BCP 14, RFC 2119, March 1997.
-    to serve is relatively low.
+[3]  Huitema, C., "An Anycast Prefix for 6to4 Relay Routers", RFC
+, June 2001.
-.  The 6to4 relay should filter out arriving tunneled packets with
+=== Informative References ===
-    protocol 41 (IPv6) that do not have 192.88.99.1 as the
-    destination address.
-The other threat, of using routing tricks in the IPv6 networks to
+[4]  Gilligan, R. and E. Nordmark, "Transition Mechanisms for IPv6
-reach the 6to4 relay, has similar solutions:
+    Hosts and Routers", RFC 2893, August 2000.
-.  Usage of access lists in the relay to limit access.
-.  Filtering out the packets with a routing header (although this
-    may have other implications).
-.  Monitoring the source addresses going through the relay to
-    detect, e.g., peers setting up static routes.
-Routing Header is not specific to 6to4.  The main thing one could do
-with it here would be to select the relay.  Some generic threats
-about routing header use are described in [11].
-As this threat does not have implications for anything other than the
-organization providing 6to4 relay, it is not analyzed any further.
-COMPARISON TO SITUATION WITHOUT 6to4
-These threats are specific to 6to4 relays (or in general anycast
-services) and do not exist in networks without 6to4.
-==== Relay Operators Seen as Source of Abuse ====
-ATTACK DESCRIPTION
-Several attacks use 6to4 relays to anonymize the traffic; this often
-results in packets being tunneled from the relay to a supposedly-6to4
-site.
-However, as was pointed out in Section 4.2, the IPv4 source address
-used by the relay could, on a cursory look, be seen as the source of
-these "protocol-41" attacks.
-This could cause a number of concerns for the operators deploying
-to4 relay service, including the following:
-o  being contacted a lot (via email, phone, fax, or lawyers) on
-  suspected "abuse",
-o  having the whole IPv4 address range rejected as a source of abuse
-  or spam, causing outage to other operations as well, or
-o  causing the whole IPv4 address range to be blacklisted in some
-  "spammer databases", if the relay were used for those purposes.
-This threat seems slightly similar to the outburst of SMTP abuse
-caused by open relays but is more generic.
-EXTENSIONS
-None.
-THREAT ANALYSIS AND SOLUTIONS/MITIGATION METHODS
-This problem can be avoided (or, really, "made someone else's
-problem") by using the 6to4 anycast address in 192.88.99.0/24 as the
-source address.  Blacklisting or rejecting this should not cause
-problems to the other operations.
-Further, when someone files complaints to the owner of
-.88.99.0/24, depending on which registry they are querying, they
-might get, for example:
-o  knowledge that this is a special IANA address block, with no real
-  contact person,
-o  knowledge that this is a special address block for [[RFC3068|RFC 3068]], or
-o  knowledge that this is a special address block for [[RFC3068|RFC 3068]], and
-  that there are multiple entries by relay operators in the
-  database.
-Any of these, at least when processed by a human, should show that
-the 6to4 relay is in fact innocent.  Of course, this could result in
-reports going to the closest anycast 6to4 relay as well, which had
-nothing to do with the incident.
-However, the widespread usage of 192.88.99.1 as the source address
-may make it more difficult to disambiguate the relays, which might be
-a useful feature for debugging purposes.
-COMPARISON TO SITUATION WITHOUT 6to4
-This threat is caused by 6to4 deployment but can be avoided, at least
-in the short-term, by using 192.88.99.1 as the source address.
-=== Attacks on IPv4 Internet ===
-There are two types of attacks on the IPv4 internet - spoofed
-traffic, and reflection.  These can be initiated by native IPv6
-nodes, 6to4 nodes, and IPv4 nodes.
-Attacks initiated by IPv4 nodes that send spoofed traffic, which
-would not use the 6to4 infrastructure, are considered out of the
-scope of this document.  6to4 infrastructure may be used in
-reflection attacks initiated by IPv4 nodes.
-It is difficult for these attacks to be effective, as the traffic
-sent out will be IPv6-in-IPv4.  Such traffic will be rejected by most
-IPv4 nodes unless they have implemented some sort of IPv6-in-IPv4
-tunneling.
-=== Summary of the Attacks ===
-Columns:
-o  Section number.  The section that describes the attack.
-o  Attack name.
-o  Initiator.  The node that initiates the attack.
-  *  I_4 - IPv4 node
-  *  I_6 - native IPv6 node
-  *  6to4 - 6to4 node
-  *  * - All of the above
-o  Victim.  The victim node
-  *  I_4 - IPv4 node
-  *  I_6 - native IPv6 node
-  *  6to4 - 6to4 node
-  *  Relay - 6to4 relay
-  *  Router - 6to4 router
-o  ToA.  Type of Attack
-  *  D - DoS
-  *  R - Reflection DoS
-  *  T - Theft of Service
-o  Fix.  Specified who is responsible for fixing the attack.
-  *  6 - The 6to4 developer and/or operator can completely mitigate
-      this attack.
-  *  6* - The 6to4 developer and/or operator can partially mitigate
-      this attack.
-  *  E - This threat cannot be fixed by the 6to4 developer or the
-to4 operator.
-Summary of attacks on a 6to4 network:
-  +-------+----------------------+---------+----------+-----+-----+
-  | Sec  | Attack name          |Initiator| Victim  | ToA | Fix |
-  +-------+----------------------+---------+----------+-----+-----+
-  | 4.1.1 | Attacks with ND      |  I_4    |  Router  |  D  |  6  |
-  +-------+----------------------+---------+----------+-----+-----+
-  | 4.1.2 | Spoofing Traffic    | I_4,I_6 |  6to4  |  D  |  E  |
-  +-------+----------------------+---------+----------+-----+-----+
-  | 4.1.3 | Reflection Attacks  |  *    |  6to4  |  R  |  6* |
-  +-------+----------------------+---------+----------+-----+-----+
-  | 4.1.4 | Local IPv4 Broadcast |  *    |  Router  |  D  |  6  |
-  +-------+----------------------+---------+----------+-----+-----+
-                              Figure 9
-Summary of attacks on the native IPv6 internet:
-  +-------+----------------------+---------+----------+-----+-----+
-  | Sec  | Attack name          |Initiator|  Victim  | ToA | Fix |
-  +-------+----------------------+---------+----------+-----+-----+
-  | 4.2.1 | Attacks with ND      |  I_4  |  Relay  |  D  |  6  |
-  +-------+----------------------+---------+----------+-----+-----+
-  | 4.2.2 | Spoofing Traffic    | I_4,6to4|    I_6  |  D  |  6* |
-  +-------+----------------------+---------+----------+-----+-----+
-  | 4.2.3 | Reflection Attacks  |    *    |    I_6  |  R  |  6* |
-  +-------+----------------------+---------+----------+-----+-----+
-  | 4.2.4 | Local IPv4 Broadcast |    *    |  Relay  |  D  |  6  |
-  +-------+----------------------+---------+----------+-----+-----+
-  | 4.2.5 | Theft of Service    |  6to4  |  Relay  |  T  |  6  |
-  +-------+----------------------+---------+----------+-----+-----+
-  | 4.2.6 | Relay Operators ...  |    -    |    -    |  D  |  1) |
-  +-------+----------------------+---------+----------+-----+-----+
-                              Figure 10
-Notes:
-) This attack is a side-effect of the other attacks and thus does
-not have any Initiator, Victim, and Fix.  It is a Denial of Service
-attack not on the network but on the organization in-charge of the
-relay.
-Summary of attacks on IPv4 internet:
-  +-------+----------------------+---------+----------+-----+-----+
-  | Sec  | Attack name          |Initiator|  Victim  | ToA | Fix |
-  +-------+----------------------+---------+----------+-----+-----+
-  |  4.3  | Spoofing Traffic    |    *    |    I_4  |  D  |  6* |
-  +-------+----------------------+---------+----------+-----+-----+
-  |  4.3  | Reflection Attacks  |    *    |    I_4  |  R  |  6* |
-  +-------+----------------------+---------+----------+-----+-----+
-                              Figure 11
-== Implementing Proper Security Checks in 6to4 ==
-This section describes several ways to implement the security checks
-required or implied by the specification [1] or augmented by this
-memo.  These do not, in general, protect against most of the threats
-listed above in the "Threat Analysis" section.  They are only
-prerequisites for a relatively safe and simple 6to4 implementation.
-Note that, in general, the 6to4 router or relay does not know whether
-it is acting as a router or relay.  It would be possible to include a
-toggle to specify the behaviour, to be used when, e.g., the interface
-is brought up, but as of February 2004, no implementations were known
-to do that.  Therefore, the checks are described as that which works
-independently of whether the node is a router or relay.
-=== Encapsulating IPv6 into IPv4 ===
-The checks described in this section are to be performed when
-encapsulating IPv6 into IPv4.
-The encapsulation rules are mainly designed to keep implementors from
-"shooting themselves in the foot."  For example, the source address
-check would verify that the packet will be acceptable to the
-decapsulator, or the sanity checks would ensure that addresses
-derived from private addresses are not used (which would be equally
-unacceptable).
- src_v6 and dst_v6 MUST pass ipv6-sanity checks (see below) else drop
- if prefix (src_v6) == 2002::/16
-    ipv4 address embedded in src_v6 MUST match src_v4
- else if prefix (dst_v6) == 2002::/16
-        dst_v4 SHOULD NOT be assigned to the router
- else
-    drop
-        /* we somehow got a native-native ipv6 packet */
- fi
- accept
-=== Decapsulating IPv4 into IPv6 ===
-The checks described in this section are to be performed when
-decapsulating IPv4 into IPv6.  They will be performed in both the
-to4 router and relay.
- src_v4 and dst_v4 MUST pass ipv4-sanity checks, else drop
- src_v6 and dst_v6 MUST pass ipv6-sanity checks, else drop
- if prefix (dst_v6) == 2002::/16
-    ipv4 address embedded in dst_v6 MUST match dst_v4
-        if prefix (src_v6) == 2002::/16
-            ipv4 address embedded in src_v6 MUST match src_v4
-            dst_v4 SHOULD be assigned to the router
-        fi
- elif prefix (src_v6) == 2002::/16
-    ipv4 address embedded in src_v6 MUST match src_v4
-    dst_v4 SHOULD be assigned to the router (see notes below)
- else
-    drop
-        /* the we somehow got a native-native ipv6 packet */
- fi
- accept
-=== IPv4 and IPv6 Sanity Checks ===
-The encapsulation and decapsulation checks include certain sanity
-checks for both IPv4 and IPv6.  These are described here in detail.
-==== IPv4 ====
-IPv4 address MUST be a global unicast address, as required by the
-to4 specification.  The disallowed addresses include those defined
-in [14], and others widely used and known not to be global.  These
-are
-o  0.0.0.0/8 (the system has no address assigned yet)
-o  10.0.0.0/8 (private)
-o  127.0.0.0/8 (loopback)
-o  172.16.0.0/12 (private)
-o  192.168.0.0/16 (private)
-o  169.254.0.0/16 (IANA Assigned DHCP link-local)
-o  224.0.0.0/4 (multicast)
-o  240.0.0.0/4 (reserved and broadcast)
-In addition, the address MUST NOT be any of the system's broadcast
-addresses.  This is especially important if the implementation is
-made so that it can
-o  receive and process encapsulated IPv4 packets arriving at its
-  broadcast addresses, or
-o  send encapsulated IPv4 packets to one of its broadcast addresses.
-==== IPv6 ====
-IPv6 address MUST NOT be
-o  0::/16 (compatible, mapped addresses, loopback, unspecified, ...)
-o  fe80::/10 (link-local)
-o  fec0::/10 (site-local)
-o  ff00::/8 (any multicast)
-'''Note:''' Only link-local multicast would be strictly required, but it is
-believed that multicast with 6to4 will not be feasible, so it has
-been disallowed as well.
-In addition, it MUST be checked that equivalent 2002:V4ADDR::/48
-checks, where V4ADDR is any of the above IPv4 addresses, will not be
-passed.
-==== Optional Ingress Filtering ====
-In addition, the implementation in the 6to4 router may perform some
-form of ingress filtering (e.g., Unicast Reverse Path Forwarding
-checks).  For example, if the 6to4 router has multiple interfaces, of
-which some are "internal", receiving either IPv4 or IPv6 packets with
-source address belonging to any of these internal networks from the
-Internet might be disallowed.
-If these checks are implemented and enabled by default, it's
-recommended that there be a toggle to disable them if needed.
-==== Notes about the Checks ====
-The rule "dst_v4 SHOULD be assigned to the router" is not needed if
-the 6to4 router implementation only accepts and processes
-encapsulated IPv4 packets arriving to its unicast IPv4 addresses, and
-when the destination address is known to be a local broadcast
-address, it does not try to encapsulate and send packets to it.  (See
-Sections 4.1.4 and  4.2.4 about this threat.)
-Some checks, especially the IPv4/IPv6 Sanity Checks, could be at
-least partially implementable with system-level access lists, if one
-would like to avoid placing too many restrictions in the 6to4
-implementation itself.  This depends on how many hooks are in place
-for the access lists.  In practice, it seems that this could not be
-done effectively enough unless the access list mechanism is able to
-parse the encapsulated packets.
-== Issues in 6to4 Implementation and Use ==
-This section tries to give an overview of some of the problems 6to4
-implementations face, and the kind of generic problems the 6to4 users
-could come up with.
-=== Implementation Considerations with Automatic Tunnels ===
-There is a problem with multiple transition mechanisms if strict
-security checks are implemented.  This may vary a bit from
-implementation to implementation.
-Consider three mechanisms using automatic tunneling: 6to4, ISATAP
-[15], and Automatic Tunneling using Compatible Addresses [4]
-(currently removed [10] but typically still supported).  All of these
-use IP-IP (protocol 41) [16] IPv4 encapsulation with, more or less, a
-pseudo-interface.
-When a router, which has any two of these enabled, receives an IPv4
-encapsulated IPv6 packet
-src_v6 = 2001:db8::1
-dst_v6 = 2002:1010:1010::2
-src_v4 = 10.0.0.1
-dst_v4 = 20.20.20.20
-What can it do?  How should it decide which transition mechanism this
-belongs to; there is no "transition mechanism number" in the IPv6 or
-IPv4 header to signify this.  (This can also be viewed as a
-flexibility benefit.)
-Without any kind of security checks (in any of the implemented
-methods), these often just "work", as the mechanisms aren't
-differentiated but handled in "one big lump".
-Configured tunneling [4] does not suffer from this, as it is
-point-to-point and based on src_v6/dst_v6 pairs of both IPv4 and IPv6
-addresses, so the tunnel interface can be logically deduced.
-Solutions for this include 1) not using more than one automatic
-tunneling mechanism in a node and 2) binding different mechanisms to
-different IPv4 addresses.
-=== A Different Model for 6to4 Deployment ===
-Even though this was already discussed in Section 4.1.2, it bears
-some additional elaboration, as it was the only problem that cannot
-be even partially solved using the current deployment model.  There
-are some mitigation methods.
-to4 routers receive traffic from non-6to4 ("native") sources via
-to4 relays.  6to4 routers have no way of matching the IPv4 source
-address of the relay with the non-6to4 IPv6 address of the source.
-Consequently, anyone can spoof any non-6to4 IPv6 address by sending
-traffic, encapsulated, directly to 6to4 routers.
-It could be possible to turn the deployment assumptions of 6to4
-around a bit to eliminate some threats caused by untrusted 6to4
-relays:
-o  Every dual-stack site (or even ISP) would be required to have its
-  own 6to4 relay.  (This assumes that IPv6-only is so far away that
-to4 would be retired by that point.)  That is, there would not be
-  third-party relays, and 2002::/16 and 192.88.99.0/24 routes would
-  not need to be advertised globally.
-o  The security implications of 6to4 use could be pushed back to the
-  level of trust inside the site or ISP (or their acceptable use
-  policies).  This is something that the sites and ISPs should
-  already be familiar with already.
-However, this presents a number of problems:
-This model would shift most of the burden of supporting 6to4 to IPv6
-sites that don't employ or use 6to4 at all, i.e., "those who deploy
-proper native dual-stack."  It could be argued that the deployment
-pain should be borne by 6to4 users, not by the others.
-The main advantage of 6to4 is easy deployment and free relays.  This
-would require that everyone the 6to4 sites wish to communicate with
-implement these measures.
-The model would not fix the "relay spoofing problem", unless
-everybody also deployed 6to4 addresses on the nodes (alongside with
-native addresses, if necessary), which would in turn change 6to4 to
-operate without relays completely.
-== Security Considerations ==
-This document discusses security considerations of 6to4.
-Even if proper checks are implemented, there are a large number of
-different security threats; these threats are analyzed in Section 4.
-There are mainly four classes of potential problem sources:
-.  6to4 routers not being able to identify whether relays are
-    legitimate
-.  Wrong or impartially implemented 6to4 router or relay security
-    checks
-.  6to4 architecture used to participate in DoS or reflected DoS
-    attacks or made to participate in "packet laundering", i.e.,
-    making another attack harder to trace
-.  6to4 relays being subject to "administrative abuse" e.g., theft
-    of service or being seen as a source of abuse.
-The first is the toughest problem, still under research.  The second
-can be fixed by ensuring the correctness of implementations; this is
-important.  The third is also a very difficult problem, impossible to
-solve completely; therefore it is important to be able to analyze
-whether this results in a significant increase of threats.  The
-fourth problem seems to have feasible solutions.
-These are analyzed in detail in "Threat Analysis", in Section 4.
-== Acknowledgments ==
-Some issues were first brought up by Itojun Hagino in [17], and Alain
-Durand introduced one specific problem at IETF51 in August 2001
-(though there was some discussion on the list prior to that); these
-two gave the authors the push to start looking into the details of
-securing 6to4.
-Alexey Kuznetsov brought up the implementation problem with IPv6
-martian checks.  Christian Huitema formulated the rules that rely on
-to4 relays using only anycast.  Keith Moore brought up the point
-about reduced flexibility.  Brian Carpenter, Tony Hain, and Vladislav
-Yasevich are acknowledged for lengthy discussions.  Alain Durand
-reminded the authors about relay spoofing problems.  Brian Carpenter
-reminded the authors about the BGP-based 6to4 router model.
-Christian Huitema gave a push for a more complete threat analysis.
-Itojun Hagino spelled out the operators' fears about 6to4 relay
-abuse.  Rob Austein brought up the idea of a different 6to4
-deployment model.
-In the latter phase, discussions with Christian Huitema, Brian
-Carpenter, and Alain Durand were helpful when improving the document.
-David Malone, Iljitsch van Beijnum, and Tim Chown gave feedback on
-the document.
-== References ==
-=== Normative References ===
-[1]  Carpenter, B. and K. Moore, "Connection of IPv6 Domains via IPv4    Clouds", [[RFC3056|RFC 3056]], February 2001.
-[2]  Bradner, S., "Key words for use in RFCs to Indicate Requirement    Levels", [[BCP14|BCP 14]], [[RFC2119|RFC 2119]], March 1997.
-[3]  Huitema, C., "An Anycast Prefix for 6to4 Relay Routers", RFC    3068, June 2001.
-=== Informative References ===
-[4]  Gilligan, R. and E. Nordmark, "Transition Mechanisms for IPv6     Hosts and Routers", [[RFC2893|RFC 2893]], August 2000.
-[5]  IANA, "Special-Use IPv4 Addresses", [[RFC3330|RFC 3330]], September 2002.
-[6]  Rekhter, Y. and T. Li, "A Border Gateway Protocol 4 (BGP-4)",    [[RFC1771|RFC 1771]], March 1995.
-[7]  Draves, R., "Default Address Selection for Internet Protocol    version 6 (IPv6)", [[RFC3484|RFC 3484]], February 2003.
-[8]  Nikander, P., Kempf, J., and E. Nordmark, "IPv6 Neighbor    Discovery (ND) Trust Models and Threats", [[RFC3756|RFC 3756]], May 2004.
-[9]  Arkko, J., Kempf, J., Sommerfeld, B., Zill, B., and P. Nikander,    "SEcure Neighbor Discovery (SEND)", Work in Progress, July 2004.
-[10] Nordmark, E. and R. Gilligan, "Basic Transition Mechanisms for    IPv6 Hosts and Routers", Work in Progress, September 2004.
-[11] Savola, P., "Security of IPv6 Routing Header and Home Address    Options", Work in Progress, March 2002.
-[12] Ferguson, P. and D. Senie, "Network Ingress Filtering: Defeating    Denial of Service Attacks which employ IP Source Address    Spoofing", [[BCP38|BCP 38]], [[RFC2827|RFC 2827]], May 2000.
-[13] Bellovin, S., Leech, M. and T. Taylor, "ICMP Traceback    Messages", Work in Progress, February 2003.
-[14] Baker, F., "Requirements for IP Version 4 Routers", [[RFC1812|RFC 1812]],    June 1995.
-[15] Templin, F., Gleeson, T., Talwar, M. and D. Thaler, "Intra-Site    Automatic Tunnel Addressing Protocol (ISATAP)", Work in    Progress, May 2004.
-[16] Simpson, W., "IP in IP Tunneling", [[RFC1853|RFC 1853]], October 1995.
-[17] Hagino, J., "Possible abuse against IPv6 transition    technologies", Work in Progress, July 2000.
+[5]  IANA, "Special-Use IPv4 Addresses", RFC 3330, September 2002.
+[6]  Rekhter, Y. and T. Li, "A Border Gateway Protocol 4 (BGP-4)",
+    RFC 1771, March 1995.
+[7]  Draves, R., "Default Address Selection for Internet Protocol
+    version 6 (IPv6)", RFC 3484, February 2003.
+[8]  Nikander, P., Kempf, J., and E. Nordmark, "IPv6 Neighbor
+    Discovery (ND) Trust Models and Threats", RFC 3756, May 2004.
+[9]  Arkko, J., Kempf, J., Sommerfeld, B., Zill, B., and P. Nikander,
+    "SEcure Neighbor Discovery (SEND)", Work in Progress, July 2004.
+[10] Nordmark, E. and R. Gilligan, "Basic Transition Mechanisms for
+    IPv6 Hosts and Routers", Work in Progress, September 2004.
+[11] Savola, P., "Security of IPv6 Routing Header and Home Address
+    Options", Work in Progress, March 2002.
+[12] Ferguson, P. and D. Senie, "Network Ingress Filtering: Defeating
+    Denial of Service Attacks which employ IP Source Address
+    Spoofing", BCP 38, RFC 2827, May 2000.
+[13] Bellovin, S., Leech, M. and T. Taylor, "ICMP Traceback
+    Messages", Work in Progress, February 2003.
+[14] Baker, F., "Requirements for IP Version 4 Routers", RFC 1812,
+    June 1995.
+[15] Templin, F., Gleeson, T., Talwar, M. and D. Thaler, "Intra-Site
+    Automatic Tunnel Addressing Protocol (ISATAP)", Work in
+    Progress, May 2004.
+[16] Simpson, W., "IP in IP Tunneling", RFC 1853, October 1995.
+[17] Hagino, J., "Possible abuse against IPv6 transition
+    technologies", Work in Progress, July 2000.
+Appendix A.  Some Trivial Attack Scenarios Outlined
+Here, a few trivial attack scenarios are outlined -- ones that are
+prevented by implementing checks listed in [1] or in section 6.
+When two 6to4 routers send traffic to each others' domains, the
+packet sent by RA to RB resembles the following:
+src_v6 = 2002:0800:0001::aaaa
+dst_v6 = 2002:0800:0002::bbbb
+src_v4 = 8.0.0.1 (added when encapsulated to IPv4)
+dst_v4 = 8.0.0.2 (added when encapsulated to IPv4)
+When the packet is received by IPv4 stack on RB, it will be
+decapsulated so that only src_v6 and dst_v6 remain, as originally
+sent by RA:
+src_v6 = 2002:0800:0001::aaaa
+dst_v6 = 2002:0800:0002::bbbb
+As every other node is just one hop away (IPv6-wise) and the
+link-layer (IPv4) addresses are lost, this may open many
+possibilities for misuse.
+As an example, unidirectional IPv6 spoofing is made trivial because
+nobody can check (without delving into IP-IP packets) whether the
+encapsulated IPv6 addresses were authentic.  (With native IPv6, this
+can be done by, e.g., RPF-like mechanisms or access lists in upstream
+routers.)
+src_v6 = 2002:1234:5678::aaaa (forged)
+dst_v6 = 2002:0800:0002::bbbb
+src_v4 = 8.0.0.1 (added when encapsulated to IPv4)
+dst_v4 = 8.0.0.2 (added when encapsulated to IPv4)
+A similar attack with "src" being the native address is made
+possible, even with the security checks, by having the sender node
+pretend to be a 6to4 relay router.
-Appendix A.  Some Trivial Attack Scenarios Outlined
-Here, a few trivial attack scenarios are outlined -- ones that areprevented by implementing checks listed in [1] or in section 6.
-When two 6to4 routers send traffic to each others' domains, thepacket sent by RA to RB resembles the following:
-src_v6 = 2002:0800:0001::aaaadst_v6 = 2002:0800:0002::bbbbsrc_v4 = 8.0.0.1 (added when encapsulated to IPv4)dst_v4 = 8.0.0.2 (added when encapsulated to IPv4)
-When the packet is received by IPv4 stack on RB, it will bedecapsulated so that only src_v6 and dst_v6 remain, as originallysent by RA:
-src_v6 = 2002:0800:0001::aaaadst_v6 = 2002:0800:0002::bbbb
-As every other node is just one hop away (IPv6-wise) and thelink-layer (IPv4) addresses are lost, this may open manypossibilities for misuse.
-As an example, unidirectional IPv6 spoofing is made trivial becausenobody can check (without delving into IP-IP packets) whether theencapsulated IPv6 addresses were authentic.  (With native IPv6, thiscan be done by, e.g., RPF-like mechanisms or access lists in upstreamrouters.)
-src_v6 = 2002:1234:5678::aaaa (forged)dst_v6 = 2002:0800:0002::bbbbsrc_v4 = 8.0.0.1 (added when encapsulated to IPv4)dst_v4 = 8.0.0.2 (added when encapsulated to IPv4)
-A similar attack with "src" being the native address is madepossible, even with the security checks, by having the sender nodepretend to be a 6to4 relay router.
 More worries come into the picture if, e.g.,
-src_v6 = ::ffff:[some trusted IPv4 in a private network]src_v6/dst_v6 = ::ffff:127.0.0.1src_v6/dst_v6 = ::1src_v6/dst_v6 = ...
+src_v6 = ::ffff:[some trusted IPv4 in a private network]
+src_v6/dst_v6 = ::ffff:127.0.0.1
+src_v6/dst_v6 = ::1
+src_v6/dst_v6 = ...
+Some implementations might have been careful enough to design the
+stack so as to avoid the incoming (or reply) packets going to IPv4
+packet processing through special addresses (e.g., IPv4-mapped
+addresses), but who can say for all ...
-Some implementations might have been careful enough to design thestack so as to avoid the incoming (or reply) packets going to IPv4packet processing through special addresses (e.g., IPv4-mappedaddresses), but who can say for all ...
 Authors' Addresses
@@ Line 1,948: / Line 1,745: @@
 EMail: [email protected]
 Chirayu Patel
@@ Line 1,959: / Line 1,755: @@
 EMail: [email protected]
 URI:  http://www.chirayu.org
 Full Copyright Statement
@@ Line 1,993: / Line 1,761: @@
 This document is subject to the rights, licenses and restrictions
-contained in [[BCP78|BCP 78]], and except as set forth therein, the authors
+contained in BCP 78, and except as set forth therein, the authors
 retain all their rights.
@@ Line 2,013: / Line 1,781: @@
 made any independent effort to identify any such rights.  Information
 on the IETF's procedures with respect to rights in IETF Documents can
-be found in [[BCP78|BCP 78]] and [[BCP79|BCP 79]].
+be found in BCP 78 and BCP 79.
 Copies of IPR disclosures made to the IETF Secretariat and any
@@ Line 2,032: / Line 1,800: @@
 Funding for the RFC Editor function is currently provided by the
 Internet Society.
-[[Category:Informational]]

Anonymous

Search

Difference between revisions of "RFC3964"

Revision as of 15:31, 24 September 2020

Contents

Introduction

Different 6to4 Forwarding Scenarios

From 6to4 to 6to4

From Native to 6to4

From 6to4 to Native

Other Models

BGP between 6to4 Routers and Relays

6to4 as an Optimization Method

6to4 as Tunnel End-Point Addressing Mechanism

Functionalities of 6to4 Network Components

6to4 Routers

6to4 Relay Routers

Threat Analysis

Attacks on 6to4 Networks

Attacks with ND Messages

Spoofing Traffic to 6to4 Nodes

Reflecting Traffic to 6to4 Nodes

Local IPv4 Broadcast Attack

Attacks on Native IPv6 Internet

Attacks with ND Messages

Spoofing Traffic to Native IPv6 Node

Reflecting Traffic to Native IPv6 Nodes

Local IPv4 Broadcast Attack

Theft of Service

Relay Operators Seen as Source of Abuse

Attacks on IPv4 Internet

Summary of the Attacks

Implementing Proper Security Checks in 6to4

Encapsulating IPv6 into IPv4

Decapsulating IPv4 into IPv6

IPv4 and IPv6 Sanity Checks

IPv4

IPv6

Optional Ingress Filtering

Notes about the Checks

Issues in 6to4 Implementation and Use

Implementation Considerations with Automatic Tunnels

A Different Model for 6to4 Deployment

Security Considerations

Acknowledgments

References

Normative References

Informative References

Navigation

Wiki tools

Page tools