Something with filters

Steinar H. Gunderson sesse at google.com
Thu Aug 28 16:46:21 CEST 2014


On Thu, Aug 28, 2014 at 04:31:22PM +0200, Enno Rey wrote:
> to be honest, as another security person, I'm not really sure about the
> benefit of uRPF in the IPv6 world, in some scenarios.
> imagine a single infected smartphone on LTE, generating connections with
> potentially 2^64 different source addresses from its assigned /64. How
> would you counter that with uRPF?

With uRPF in place, you can just block off that /64. Without, the smartphone
can fake addresses in the entire 2000::/3 unicast space. That's a pretty
obvious win; uRPF didn't in itself prevent the attack, but it made it a lot
easier to mitigate it.

Also, uRPF makes a large class of traffic amplification attacks impossible,
since you can't fake the source address anymore.

/* Steinar */
-- 
Software Engineer, Google Switzerland



More information about the ipv6-ops mailing list