Something with filters

Gert Doering gert at
Thu Aug 28 17:00:38 CEST 2014


On Thu, Aug 28, 2014 at 04:31:22PM +0200, Enno Rey wrote:
> to be honest, as another security person, I'm not really sure about the benefit of uRPF in the IPv6 world, in some scenarios.
> imagine a single infected smartphone on LTE, generating connections with potentially 2^64 different source addresses from its assigned /64. How would you counter that with uRPF?

The point is not to counter devices from spoofing random addresses - but
from spoofing random addresses *not trackable to them*.

> not to speak about a home device sitting behind a CPE (and mimicing connections from different /64s being part of the /56 the CPE "got")...
> thoughts?

Same thing.  I do not care which address customer A uses out of their
/56, but if I get an abuse complaint, I do care very much that customer
A is not sending packets with a source belonging to customer B...

(And the whole bunch of reflective DoS attacks we're seeing these days
would be stopped cold if uRPF/BCP38 would be deployed at the true 
sources of the spoofed packets)

Gert Doering
        -- NetMaster
have you enabled IPv6 on something today...?

SpaceNet AG                        Vorstand: Sebastian v. Bomhard
Joseph-Dollinger-Bogen 14          Aufsichtsratsvors.: A. Grundner-Culemann
D-80807 Muenchen                   HRB: 136055 (AG Muenchen)
Tel: +49 (0)89/32356-444           USt-IdNr.: DE813185279

More information about the ipv6-ops mailing list