[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: direct tunneling vs site's control [RE: POLL: Consensus for moving forward with Teredo?]

To: "Bound, Jim" <jim.bound@hp.com>
Subject: RE: direct tunneling vs site's control [RE: POLL: Consensus for moving forward with Teredo?]
From: Pekka Savola <pekkas@netcore.fi>
Date: Sat, 1 May 2004 23:03:29 +0300 (EEST)
Cc: Liu Min <liumin@ict.ac.cn>, <v6ops@ops.ietf.org>
In-reply-to: <9C422444DE99BC46B3AD3C6EAFC9711B0644B706@tayexc13.americas.cpqcorp.net>

On Sat, 1 May 2004, Bound, Jim wrote:
> > On Sat, 1 May 2004, Bound, Jim wrote:
> > > I have heard from three different users in the ISR (Intelligence, 
> > > Surveillance, and Reconnaissance) deployment community, all 
> > different 
> > > entities, that any transition mechanisms, which use special IPv6 
> > > prefixes are a non-starter in certain cases.
> > 
> > I'm not fully sure if I understand the scenario, but if I 
> > think this is what I think it is, the main problem is not a 
> > special IPv6 prefix, but being to tunnel directly to the node 
> > in a way that the host's site losts manageability.
> 
> That is the end result (loss of manageability) but the root cause was
> permitting hard coded prefixes in the network.

No, the root cause is not hard coded prefixes themselves; it's being 
able to tunnel past the management -- that can be done either with a 
mechanism which has a special prefix, or some mechanism which does not 
have one.  Hard coded prefixes themselves do not cause this.

> > > The two that are not
> > > useful for that reason are 6to4 and Teredo.  They present a 
> > potential 
> > > security hole because nodes can create them ad hoc theoretically and
> > > IPv6 packets could be sent to them, and they are not within the 
> > > address space defined by these communities, and causes 
> > permanent infrastructure.
> > 
> > 6to4 and Teredo have direct tunneling, of course; both can be 
> > blocked easily at the border, but if the site is not aware of 
> > them being used...
> 
> Blocking puts extra methods in the edge of this highly secure network,
> and as you say they could be created without the site being aware of
> them.

True, but it's worth remembering that there will always be these
"cover channels" through the edges.  People tunnel IP even through
HTTP proxies.. 

So, the question is how much effort should be needed for the sites who
wish to block the attempts at creating IPv6 connectivity
(automatically) by their hosts.

> > In some networks 6to4 is less of a problem if private IPv4 
> > addresses are used as the internal nodes cannot use 6to4 tunneling.
> 
> In this case there are not PI or private addresses all addresses are
> globally routable IPv6 and security methods are used to secure all
> communications at various points.

Obviously for these methods to be worth considering, IPv6 addresses 
must be globally routable.. but the point is whether the _IPv4_ 
addresses are globally reachable or not.

In other words, if a host has enabled ISATAP interface or 6to4
pseudo-interface, is it even possible to send IPv4 proto-41 directly
to the hosts (this is obviously impossible w/ private addresses).

> > > The two mechanisms that may work well at this time are DSTM and 
> > > ISATAP, and objective is to let ISATAP phase out automatically with 
> > > deployment (large advantage of ISATAP to them). Rigorous security 
> > > holes for DSTM and ISATAP are being searched now.  That is all I 
> > > really know at this point and it is new.
> > 
> > ISATAP is equally problematic as 6to4.   You can tunnel packets 
> > directly to the nodes if they have public addresses using 
> > fe80::<ISATAP> -addressing -- unless those have been 
> > (properly) blocked at the border.
> 
> As I understand it ISATAP is restricted to extended subnets as nodes
> evolve to IPv6 deployment, until IPv6 capable is turned on, but will not
> be used off of the subnet. 

I'm not 100% sure what you meant precisely, but obviously ISATAP nodes 
are reachable through the ISATAP router, and you can tunnel directly 
to the ISATAP nodes if the ip-proto-41 access hasn't been blocked (as 
one should).

> The FE80 token is also only available on the local link and not
> routable except by ISATAP relays and those will only be on extended
> subnet with host attached links and not typical routing.

If ip-proto-41 packets are not dropped at the border of the site 
running ISATAP, and global addresses are used, anyone can tunnel 
directly to the ISATAP hosts w/ FE80 prefix.

That's why "just turn on ISATAP interface" is not really too secure.

-- 
Pekka Savola                 "You each name yourselves king, yet the
Netcore Oy                    kingdom bleeds."
Systems. Networks. Security. -- George R.R. Martin: A Clash of Kings

References:
- RE: direct tunneling vs site's control [RE: POLL: Consensus for moving forward with Teredo?]
  - From: "Bound, Jim" <jim.bound@hp.com>

Prev by Date: RE: direct tunneling vs site's control [RE: POLL: Consensus for moving forward with Teredo?]
Next by Date: Re: FW: Comment on RFC 3750
Previous by thread: RE: direct tunneling vs site's control [RE: POLL: Consensus for moving forward with Teredo?]
Next by thread: RE: direct tunneling vs site's control [RE: POLL: Consensus for moving forward with Teredo?]
Index(es):
- Date
- Thread