Hurricane Electric's IPv6 Tunnel Broker Forums

Advanced search  

News:

Welcome to Hurricane Electric's Tunnelbroker.net forums!

Author Topic: letting users choose the host number to assign their tunnels  (Read 4063 times)

Ninho

  • Full Member
  • ***
  • Posts: 138
letting users choose the host number to assign their tunnels
« on: August 19, 2009, 11:20:01 AM »

I had an idea : instead of assigning a fixed host number ::2 to the user end of the tunnels, let them choose one number (among 2^64) for the host part of the tunnel IP. As a measure to prevent the hijacking of tunnels by a hacker who spoofed the user's IPv4 address, especially in case that IPv4 is dynamic.

Will the software you run allow such a thing ?
Logged

kriteknetworks

  • Sr. Member
  • ****
  • Posts: 261
    • aRDy Music
Re: letting users choose the host number to assign their tunnels
« Reply #1 on: August 19, 2009, 05:25:06 PM »

Has there been a problem of tunnels getting highjacked? No point in addressing problems that don't exist. Security through obscurity isn't a fix for anything.
Logged

Ninho

  • Full Member
  • ***
  • Posts: 138
Re: letting users choose the host number to assign their tunnels
« Reply #2 on: August 25, 2009, 03:31:38 AM »

Has there been a problem of tunnels getting highjacked? No point in addressing problems that don't exist.

If there's a potential problem, better prevent than having to cure.

Quote
Security through obscurity isn't a fix for anything.

Hmmm! Might need rethinking the old saying, in other words : how obscure is "obscure" ? ;=)
Your observation applies well to, for instance, people trying to hide a service under an undisclosed port number (one out of 65535), but here were hiding a host under an undisclosed IPv6 number out of a billion gazillions ! It is a different world !
Logged

kriteknetworks

  • Sr. Member
  • ****
  • Posts: 261
    • aRDy Music
Re: letting users choose the host number to assign their tunnels
« Reply #3 on: August 25, 2009, 05:42:42 AM »

Again, I'm sure if the HE administrators were having security issues, they'd have long since been addressed. As I said previously, no point in addressing problems that don't exist.

If you're concerned about YOUR tunnel being highjacked, send an email to ipv6@he.net expressing your concerns, mitigating factors, etc.
Logged

broquea

  • Sr. Network Engineer, HE.NET AS6939
  • Administrator
  • Hero Member
  • *****
  • Posts: 1722
Re: letting users choose the host number to assign their tunnels
« Reply #4 on: August 25, 2009, 09:35:23 AM »

Seeing as we configure forward and reverse DNS entries, even if you set it to something other than ::2, a clever person simply has to look at DNS to see what your remote side of the tunnel is. Also how in the world would they even figure out what IPv4 to spoof? This assumes that everyone subscribing to the same ISP as you do, are really awesome malicious black hats or something, and not grandparents trading family photos around in email. This feels like paranoia taken to a bit of an extreme, over a simple free service. If we see any abuse from a tunnel, we address it and contact the tunnel's user. So if your tunnel suddenly goes bonkers sourcing stuff, we'll be sure to email you about it.

Thank you for the suggestion.
Logged

Ninho

  • Full Member
  • ***
  • Posts: 138
Re: letting users choose the host number to assign their tunnels
« Reply #5 on: August 26, 2009, 03:46:29 AM »

Seeing as we configure forward and reverse DNS entries, even if you set it to something other than ::2, a clever person simply has to look at DNS to see what your remote side of the tunnel is.

Good point ! You'd have to avoid DNS-registering the user's tunnel end. Is that registration any use ?

Quote
Also how in the world would they even figure out what IPv4 to spoof? This assumes that everyone subscribing to the same ISP as you do, are really awesome malicious black hats or something, and not grandparents trading family photos around in email. This feels like paranoia taken to a bit of an extreme, over a simple free service.

I take your allusion of paranoia as carrying an implicit smiley. Of course, any discussion about security must assume everyone is (potentially) malicious, and whereas I am truly grateful for the free (simple?) service, I don't see how the price relates to abstract discussion of possible threats. Unless you just meant that combatting threats carries a cost, which I concede.


Quote
If we see any abuse from a tunnel, we address it and contact the tunnel's user. So if your tunnel suddenly goes bonkers sourcing stuff, we'll be sure to email you about it.

I don't doubt you will.

Quote
Thank you for the suggestion.

YVW :=)
Logged