[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: WG Last Call draft-ietf-v6opssecuroverview*

To: v6ops@ops.ietf.org
Subject: Re: WG Last Call draft-ietf-v6ops*secur*overview*
From: Mark Smith <ipng@69706e6720323030352d30312d31340a.nosense.org>
Date: Tue, 7 Jun 2005 23:36:53 +0930
In-reply-to: <200506061300.j56D0WF22152@irp-view7.cisco.com>
References: <200506061300.j56D0WF22152@irp-view7.cisco.com>

Hi,

On Mon, 6 Jun 2005 06:00:32 -0700 (PDT)
fred@cisco.com wrote:

> Folks
> 
> This note starts the WG Last Call for comments on
> 
>   "IPv6 Transition/Co-existence Security Considerations", Elwyn Davies,
>   13-May-05, <draft-ietf-v6ops-security-overview-00.txt>
> 

"Appendix A.  IPv6 Probing/Mapping Considerations"

.
.
.

"For example, automatic tunneling mechanisms use rather deterministic
   methods for generating IPv6 addresses, so probing/port-scanning an
   IPv6 node is simplified.  The IPv4 address is embedded at least in
   6to4, Teredo and ISATAP address.  Further than that, it's possible
   (in the case of 6to4 in particular) to learn the address behind the
   prefix; for example, Microsoft 6to4 implementation uses the address
   2002:V4ADDR::V4ADDR while Linux and BSD implementations default to
   2002:V4ADDR::1.  This could also be used as one way to identify an
   implementation."

"IPv4-compatible IPv6 addresses" could be worth describing as an even
better example of IPv6 tunnel end point address that is directly
deterministic from an IPv4 address.

I'm finding that on my Linux 6to4 tunnel interface, they are
automatically configured, which surprised me a bit. I'm also getting an
automatic ::/96 route pointing out my 6to4 tunnel which I don't think
makes sense. Looking at RFC2893, it seems that automatic assignment and a
::/96 route should happen if the OS supports "IPv4-compatible IPv6
addresses".

Possibly (thinking about it a bit more, probably) this could be
considered a Linux bug, as Linux isn't considering the difference
between a "IPv4-compatible IPv6 address" tunnel and a 6to4 tunnel. Even
if it is, I think automatic "IPv4-compatible IPv6 addresses" on
appropriate tunnels on Linux and other OSes would be an IPv6 security
concern, and therefore probably mentioned in this draft.

A minor nit. I'm not sure about the Linux default interface address of
::1 for 6to4 tunnels. Using either of the ifconfig and iproute2 utilities, I
don't seem to be able specify a prefix without a node address for a 6to4
tunnel, therefore asking Linux to select an interface address. I'd
suggest the "default" interface address of Linux 6to4 tunnels is ::1
probably only because of human nature when configuring the local 6to4
tunnel end point IPv6 address.

Regards,
Mark.

Follow-Ups:
- Re: WG Last Call draft-ietf-v6ops*secur*overview*
  - From: Elwyn Davies <elwynd@dial.pipex.com>

References:
- WG Last Call draft-ietf-v6ops*secur*overview*
  - From: fred@cisco.com

Prev by Date: Re: Please comment on new draft: draft-ietf-v6ops-security-overview-00.txt
Next by Date: Re: WG Last Call draft-ietf-v6ops*secur*overview*
Previous by thread: WG Last Call draft-ietf-v6ops*secur*overview*
Next by thread: Re: WG Last Call draft-ietf-v6ops*secur*overview*
Index(es):
- Date
- Thread

Re: WG Last Call draft-ietf-v6ops*secur*overview*

Re: WG Last Call draft-ietf-v6opssecuroverview*