• Welcome to Hurricane Electric's IPv6 Tunnel Broker Forums.

letting users choose the host number to assign their tunnels

Started by Ninho, August 19, 2009, 11:20:01 AM

Previous topic - Next topic

Ninho

I had an idea : instead of assigning a fixed host number ::2 to the user end of the tunnels, let them choose one number (among 2^64) for the host part of the tunnel IP. As a measure to prevent the hijacking of tunnels by a hacker who spoofed the user's IPv4 address, especially in case that IPv4 is dynamic.

Will the software you run allow such a thing ?

kriteknetworks

Has there been a problem of tunnels getting highjacked? No point in addressing problems that don't exist. Security through obscurity isn't a fix for anything.

Ninho

Quote from: kriteknetworks on August 19, 2009, 05:25:06 PM
Has there been a problem of tunnels getting highjacked? No point in addressing problems that don't exist.

If there's a potential problem, better prevent than having to cure.

QuoteSecurity through obscurity isn't a fix for anything.

Hmmm! Might need rethinking the old saying, in other words : how obscure is "obscure" ? ;=)
Your observation applies well to, for instance, people trying to hide a service under an undisclosed port number (one out of 65535), but here were hiding a host under an undisclosed IPv6 number out of a billion gazillions ! It is a different world !

kriteknetworks

Again, I'm sure if the HE administrators were having security issues, they'd have long since been addressed. As I said previously, no point in addressing problems that don't exist.

If you're concerned about YOUR tunnel being highjacked, send an email to ipv6@he.net expressing your concerns, mitigating factors, etc.

broquea

Seeing as we configure forward and reverse DNS entries, even if you set it to something other than ::2, a clever person simply has to look at DNS to see what your remote side of the tunnel is. Also how in the world would they even figure out what IPv4 to spoof? This assumes that everyone subscribing to the same ISP as you do, are really awesome malicious black hats or something, and not grandparents trading family photos around in email. This feels like paranoia taken to a bit of an extreme, over a simple free service. If we see any abuse from a tunnel, we address it and contact the tunnel's user. So if your tunnel suddenly goes bonkers sourcing stuff, we'll be sure to email you about it.

Thank you for the suggestion.

Ninho

Quote from: broquea on August 25, 2009, 09:35:23 AM
Seeing as we configure forward and reverse DNS entries, even if you set it to something other than ::2, a clever person simply has to look at DNS to see what your remote side of the tunnel is.

Good point ! You'd have to avoid DNS-registering the user's tunnel end. Is that registration any use ?

Quote
Also how in the world would they even figure out what IPv4 to spoof? This assumes that everyone subscribing to the same ISP as you do, are really awesome malicious black hats or something, and not grandparents trading family photos around in email. This feels like paranoia taken to a bit of an extreme, over a simple free service.

I take your allusion of paranoia as carrying an implicit smiley. Of course, any discussion about security must assume everyone is (potentially) malicious, and whereas I am truly grateful for the free (simple?) service, I don't see how the price relates to abstract discussion of possible threats. Unless you just meant that combatting threats carries a cost, which I concede.


QuoteIf we see any abuse from a tunnel, we address it and contact the tunnel's user. So if your tunnel suddenly goes bonkers sourcing stuff, we'll be sure to email you about it.

I don't doubt you will.

Quote
Thank you for the suggestion.

YVW :=)