[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: comments on draft-itojun-v6ops-v4mapped-harmful-00.txt
>> o By transmitting IPv6 packet with ::ffff:127.0.0.1 in IPv6 source
>> address field, applications that assume basic API behavior will be
>> tricked to believe that the packet is from the node itself (IPv4
>> loopback address, 127.0.0.1).
>How is that different from the case of an IPv4 application receiving
>a packet with src address = 127.0.0.1?
>The kernel should have dropped it before passing it to
>the application.(see my last comment in this mail)
not really different, but this is not obvious, from piles of IPv6
documents, what kind of traffic people needs to filter it.
>> o By transmitting IPv6 packet to firewall device, with IPv4 mapped
>> address corresponds to address inside the firewall (like
>> ::ffff:10.1.1.1) as the IPv6 source address, malicious party could
>> bypass IPv4 filtering rules and inject traffic inside the firewall.
>This only means that ingress filtering should be smarter...
>And anyway, with all the security issues concerning tunneling
>and open relays, firewalls needs to be smarter.
no, it is not just about firewalls.
>> o Assume that the victim node is an IPv4/v6 dual stack node. By
>> transmitting IPv6 packet with IPv4 mapped address corresponds to IPv4
>> broadcast address (::ffff:10.255.255.255) in IPv6 source address
>> field, to TCP/UDP port that swaps IPv6 source and destination address
>> (e.g. UDP port 53, DNS), malicious node can trick the victim node to
>> generate improper IPv4 broadcast traffic; This is because basic API on
>> the victim node will emit transmission requests to destination IPv4
>> mapped address, ::ffff:10.255.255.255, into IPv4 traffic.
>If a kernel implements 'basic API' semantic, it would/should
>drop any packet which src/dst address is v4-mapped.
where this recommendation is documented? i believe nowhere.
>However, it the kernel implements 'SIIT' semantic,
>and passes v6 packets to applications with IPv4-mapped src addresses,
>the reserver is also ture, that is, when those applications will answer,
>the kernel will output a v6 packet, not a v4 packet...
>Then up to the SIIT box to drop directed broadcast.