8. Security Considerations

This document does not raise any additional security issues beyond those of BGP-4 and the Multiprotocol Extensions for BGP-4. The same security mechanisms are applicable.

However, as [RFC4272] discusses, BGP is vulnerable to traffic diversion attacks. The ability to advertise an IPv6 next hop adds a new means by which an attacker could cause traffic to be diverted from its normal path. Such an attack differs from preexisting vulnerabilities in that traffic could be forwarded to a distant target across an intervening network infrastructure (e.g., an IPv6 core), allowing an attack to potentially succeed more easily since less infrastructure would have to be subverted. Potential consequences include "hijacking" of traffic or denial of service.

Although not expected to be the typical case, the IPv6 address used as the BGP next-hop address could be an IPv4-mapped IPv6 address (as defined in [RFC4291]). Configuration of the security mechanisms potentially deployed by the network operator (such as security checks on a next-hop address) also need to keep this case in mind.