[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: ISATAP, v6inv4 and 6to4 tunnel interworkings [RE: ISATAP vs a lter natives in 3GPP [Re: comments on draft-ietf-v6 ops-3gpp-analysis-0 9 .txt] ]

To: Pekka Savola <pekkas@netcore.fi>
Subject: Re: ISATAP, v6inv4 and 6to4 tunnel interworkings [RE: ISATAP vs a lter natives in 3GPP [Re: comments on draft-ietf-v6 ops-3gpp-analysis-0 9 .txt] ]
From: Fred Templin <ftemplin@iprg.nokia.com>
Date: Thu, 01 Apr 2004 12:16:42 -0800
Cc: IPv6 Operations <v6ops@ops.ietf.org>
References: <Pine.LNX.4.44.0404010752420.1681-100000@netcore.fi>
User-agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.0.2) Gecko/20021120 Netscape/7.01

Pekka Savola wrote:

On Wed, 31 Mar 2004, Fred Templin wrote:

But it should be obvious that this doesn't really provide much of practical mitigation, as v4 addresses can be spoofed, or you could just use a real v4 address. This check is most attractive inside a site, where it's reasonable to assume that ingress filtering is in place .. and the "everyone in PRL list" is definitely not that case.

I didn't quite catch what you meant by "a real v4 address"?

The check only protects from someone spoofing their v4 address. If the use of link-locals by strangers (remember that these have TTL=255 and are allowed to do anything Neighbor Discovery -wise) is categorically thought to be harmful (I certainly think so), this doesn't really help.

Right, but this is an issue for the upper layers (e.g., ND handling code).

(The only difference, still, with 6to4 is that the similar abuse of 6to4 is limited to global addresses -- not link-locals, even if the v4addr matched.)

In terms of link-locals, the first-pass filtering by the ISATAP decapsulator is only for the purpose of determining whether the IPv4 source address in the encapsulating header is acceptable for the IPv6 source address in the encapsualted packet. Higher layers up the stack will also likely use other mitigations in determining whether/not to accept link-local packets, but this is beyond the scope of our discussion on decapsulation.

Of course, but as LL's are treated specially e.g. by ND code, this makes the ISATAP decapsulation non-equivalent to 6to4 decapsulation.

I'm not sure what you mean by this; ND handling code comes *after*
decapsulation; not during - correct? The only mitigations specified
by 6to4 for decapsulation are found in the second paragraph of
([RFC3056], section 10) and these are optional.

The final sentence of that paragraph says: "2002:: traffic must also
be excepted from checks applied to prevent spoofing of "6 over 4"
traffic [6OVER4]." Perhaps a similar sentence with
s/6over4/ISATAP is needed somewhere?

Fred
ftemplin@iprg.nokia.com

Follow-Ups:
- Re: ISATAP, v6inv4 and 6to4 tunnel interworkings [RE: ISATAP vs a lter natives in 3GPP [Re: comments on draft-ietf-v6 ops-3gpp-analysis-0 9 .txt] ]
  - From: Pekka Savola <pekkas@netcore.fi>

References:
- Re: ISATAP, v6inv4 and 6to4 tunnel interworkings [RE: ISATAP vs a lter natives in 3GPP [Re: comments on draft-ietf-v6 ops-3gpp-analysis-0 9 .txt] ]
  - From: Pekka Savola <pekkas@netcore.fi>

Prev by Date: Request to Advance "Application Aspects of IPv6 Transition"
Next by Date: Re: DHCP auth in unmanaged [Re: WG Last Call: draft-ietf-v6ops-unmaneval-01.txt]
Previous by thread: Re: ISATAP, v6inv4 and 6to4 tunnel interworkings [RE: ISATAP vs a lter natives in 3GPP [Re: comments on draft-ietf-v6 ops-3gpp-analysis-0 9 .txt] ]
Next by thread: Re: ISATAP, v6inv4 and 6to4 tunnel interworkings [RE: ISATAP vs a lter natives in 3GPP [Re: comments on draft-ietf-v6 ops-3gpp-analysis-0 9 .txt] ]
Index(es):
- Date
- Thread