[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: drafty IPv6 security overview draft submitted

To: Pekka Savola <pekkas@netcore.fi>
Subject: Re: drafty IPv6 security overview draft submitted
From: Alain Durand <Alain.Durand@Sun.COM>
Date: Fri, 20 Jun 2003 16:22:34 -0700
Cc: v6ops@ops.ietf.org
References: <Pine.LNX.4.44.0306201127570.27846-100000@netcore.fi>
User-agent: Mozilla/5.0 (X11; U; SunOS sun4u; en-US; rv:1.0.1) Gecko/20020920Netscape/7.0

Pekka,

Thanks for starting this effort.
A couple points:
1- You do not talk about the tunneling/open relay issues,
     like the abuse of 6to4. those were discussed elsewhere,
     but I think it would be worth it mentionning them here.

2- I came across an interesinting issue when playing with VPN:
    I use an IPv4 VPN to connect to my office network.
    My DNS resolution is done over IPv4.
    When I'm looking for my server, the DNS (over IPv4 over VPN)
    returns both A and AAAA records. When my laptop is on an IPv6
    enable link, it will use IPv6 to try to connec to my server.
    However, the VPN does not know about IPv6, and it let the packets
    go on the local network. Anybody on the
    local link can intercept those packets by pretending to have the IPv6
    address of my server (thanks to neighbor discovery, it does not even
    have to compromise any router...).
    This may be a bug in my VPN, bit I wonder how many VPNs share
    the same behavior...

   - Alain.



Pekka Savola wrote:

Hello all,

I just submitted a draft on IPv6 security overview. It's quite raw and badly structured, but I ran out of time (and I'm off for a few days, back on Wednesday or so).

I've tried to describe at least briefly all the aspects relating to IPv6 and IPv6 transition/co-existence I could quickly think of. This could be one basis for the security discussion in Vienna.

Please have a look at it at some point and send feedback.

Prior to it being formally posted, it can be read from:

http://www.netcore.fi/pekkas/ietf/draft-savola-v6ops-security-overview-00.txt

Abstract

The transition/co-existance from IPv4 to IPv4/IPv6 causes one to
consider the security considerations of such a process. In this
memo, I try to give an overview of different aspects relating to
IPv6: the notion of increased end-to-end transparency, implications
of tunneling, the use of IPv4-mapped addresses, the considerations of
IPv6 service piloting without firewalls, IPv6 protocol-specific
issues, IPv6 transition/co-existence mechanism -specific issues,
consequences of enabling IPv6 by default, and operational security
issues when enabling IPv6 in the network infrastructure.

It's only about 8 pages or so :-)

Follow-Ups:
- Re: drafty IPv6 security overview draft submitted
  - From: Pekka Savola <pekkas@netcore.fi>

References:
- drafty IPv6 security overview draft submitted
  - From: Pekka Savola <pekkas@netcore.fi>

Prev by Date: I-D ACTION:draft-savola-v6ops-security-overview-00.txt
Next by Date: draft-palet-v6ops-proto41-nat-00.txt
Previous by thread: drafty IPv6 security overview draft submitted
Next by thread: Re: drafty IPv6 security overview draft submitted
Index(es):
- Date
- Thread