[153924] in North American Network Operators' Group
Re: ZOMG: IPv6 a plot to stymie FBI !!!11!ONE!
daemon@ATHENA.MIT.EDU (Arturo Servin)
Sun Jun 17 15:54:30 2012
From: Arturo Servin <arturo.servin@gmail.com>
In-Reply-To: <20120617194141.97263.qmail@joyce.lan>
Date: Sun, 17 Jun 2012 15:53:47 -0400
To: John Levine <johnl@iecc.com>
Cc: nanog@nanog.org
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
If the ISP fails to filter my bogus space and leak that route to =
the Internet (which happens today everyday with IPv4, and will with =
IPv6) I would get my return path.
Again, if every ISP followed BCP 38 that would not happen (IPv6 =
and IPv4). But they are not, and probably they won't.
.as
On 17 Jun 2012, at 15:41, John Levine wrote:
>> BCP 38 would work. The problem is that many ISPs do not ingress =
filter, so I
>> can use whatever unnallocated IPv6 space
>> (2F10:baba:ba30:e8cf:d06f:4881:973a:c68) to SPAM and then go =
invisible and use
>> another one (2E10:baba:ba30:e8cf:d06f:4881:973a:c68)
>=20
> How do you plan to get the return packets? DNS bombing with forged
> address UDP packets is one thing, but anything that runs over TCP
> won't work without return routes. If the bad guy can inject routes,
> you have worse problems than lack of SWIP.
>=20
> (This assumes the target is not using a 20 year old TCP stack with
> predictable sequence numbers, but in the IPv6 world we should be able
> to assume that particular security hole is closed.)
>=20
> I expect bad guys to hop around within a /64 or whatever size
> allocation the ISP assigns to customers, but that's still easily
> handled by SWIP, or by subpoena to the ISP if they didn't get around
> to SWIP.
>=20
> R's,
> John
>=20
>=20
