[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

direct tunneling vs site's control [RE: POLL: Consensus for moving forward with Teredo?]

To: "Bound, Jim" <jim.bound@hp.com>
Subject: direct tunneling vs site's control [RE: POLL: Consensus for moving forward with Teredo?]
From: Pekka Savola <pekkas@netcore.fi>
Date: Sat, 1 May 2004 18:04:14 +0300 (EEST)
Cc: Liu Min <liumin@ict.ac.cn>, <v6ops@ops.ietf.org>
In-reply-to: <9C422444DE99BC46B3AD3C6EAFC9711B0644B6FA@tayexc13.americas.cpqcorp.net>

On Sat, 1 May 2004, Bound, Jim wrote:
> I have heard from three different users in the ISR (Intelligence,
> Surveillance, and Reconnaissance) deployment community, all different
> entities, that any transition mechanisms, which use special IPv6
> prefixes are a non-starter in certain cases.  

I'm not fully sure if I understand the scenario, but if I think this
is what I think it is, the main problem is not a special IPv6 prefix, 
but being to tunnel directly to the node in a way that the host's site 
losts manageability.

> The two that are not
> useful for that reason are 6to4 and Teredo.  They present a potential
> security hole because nodes can create them ad hoc theoretically and
> IPv6 packets could be sent to them, and they are not within the address
> space defined by these communities, and causes permanent infrastructure.

6to4 and Teredo have direct tunneling, of course; both can be blocked 
easily at the border, but if the site is not aware of them being 
used...

In some networks 6to4 is less of a problem if private IPv4 addresses
are used as the internal nodes cannot use 6to4 tunneling.

> The two mechanisms that may work well at this time are DSTM and
> ISATAP, and objective is to let ISATAP phase out automatically with
> deployment (large advantage of ISATAP to them). Rigorous security holes
> for DSTM and ISATAP are being searched now.  That is all I really know
> at this point and it is new.  

ISATAP is equally problematic as 6to4.   You can tunnel packets 
directly to the nodes if they have public addresses using 
fe80::<ISATAP> -addressing -- unless those have been (properly) 
blocked at the border.

...

For what its worth, if this is the scenario you're worried of, about
everything will be problematic -- if you can connect to a tunnel
server outside of the site using protocol 41 or UDP, you can go past
the site's management controls unless explicitly forbidden.

-- 
Pekka Savola                 "You each name yourselves king, yet the
Netcore Oy                    kingdom bleeds."
Systems. Networks. Security. -- George R.R. Martin: A Clash of Kings

References:
- RE: POLL: Consensus for moving forward with Teredo?
  - From: "Bound, Jim" <jim.bound@hp.com>

Prev by Date: FW: I-D ACTION:draft-bound-dstm-exp-01.txt
Next by Date: REVIEW COMMENTS: draft-palet-v6ops-auto-trans-00.txt
Previous by thread: RE: POLL: Consensus for moving forward with Teredo?
Next by thread: Permanent infrastructure was(RE: POLL: Consensus for moving forward with Teredo?)
Index(es):
- Date
- Thread