[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: comments on draft-itojun-v6ops-v4mapped-harmful-00.txt



On Saturday, September 14, 2002, at 05:18 PM, itojun@iijlab.net wrote:

o Assume that the victim node is an IPv4/v6 dual stack node. By
transmitting IPv6 packet with IPv4 mapped address corresponds to IPv4
broadcast address (::ffff:10.255.255.255) in IPv6 source address
field, to TCP/UDP port that swaps IPv6 source and destination address
(e.g. UDP port 53, DNS), malicious node can trick the victim node to
generate improper IPv4 broadcast traffic; This is because basic API on
the victim node will emit transmission requests to destination IPv4
mapped address, ::ffff:10.255.255.255, into IPv4 traffic.
If a kernel implements 'basic API' semantic, it would/should
drop any packet which src/dst address is v4-mapped.
	where this recommendation is documented?  i believe nowhere.
I think this is the core of the discussion. My take is that
it should be documented somewhere that if one one implements
basic API semantic, the kernel should drop incoming packets with
IPv4-mapped src address, but if one decides to accept them,
then when the same kernel is asked to send an IPv4-mapped
address, it should sent it on the wire as an IPv6 address.

The fist behavior is fine for dual stack host, the second
for IPv6-only hosts.

	- Alain.