Something with filters
gert at space.net
Thu Aug 28 17:00:38 CEST 2014
On Thu, Aug 28, 2014 at 04:31:22PM +0200, Enno Rey wrote:
> to be honest, as another security person, I'm not really sure about the benefit of uRPF in the IPv6 world, in some scenarios.
> imagine a single infected smartphone on LTE, generating connections with potentially 2^64 different source addresses from its assigned /64. How would you counter that with uRPF?
The point is not to counter devices from spoofing random addresses - but
from spoofing random addresses *not trackable to them*.
> not to speak about a home device sitting behind a CPE (and mimicing connections from different /64s being part of the /56 the CPE "got")...
Same thing. I do not care which address customer A uses out of their
/56, but if I get an abuse complaint, I do care very much that customer
A is not sending packets with a source belonging to customer B...
(And the whole bunch of reflective DoS attacks we're seeing these days
would be stopped cold if uRPF/BCP38 would be deployed at the true
sources of the spoofed packets)
have you enabled IPv6 on something today...?
SpaceNet AG Vorstand: Sebastian v. Bomhard
Joseph-Dollinger-Bogen 14 Aufsichtsratsvors.: A. Grundner-Culemann
D-80807 Muenchen HRB: 136055 (AG Muenchen)
Tel: +49 (0)89/32356-444 USt-IdNr.: DE813185279
More information about the ipv6-ops