[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: WG Last Call draft-ietf-v6ops*secur*overview*

Thanks for the comments:

Responses embedded below...

Mark Smith wrote:

Hi,

On Mon, 6 Jun 2005 06:00:32 -0700 (PDT)
fred@cisco.com wrote:



Folks

This note starts the WG Last Call for comments on

 "IPv6 Transition/Co-existence Security Considerations", Elwyn Davies,
 13-May-05, <draft-ietf-v6ops-security-overview-00.txt>




"Appendix A.  IPv6 Probing/Mapping Considerations"

.
.
.

"For example, automatic tunneling mechanisms use rather deterministic
  methods for generating IPv6 addresses, so probing/port-scanning an
  IPv6 node is simplified.  The IPv4 address is embedded at least in
  6to4, Teredo and ISATAP address.  Further than that, it's possible
  (in the case of 6to4 in particular) to learn the address behind the
  prefix; for example, Microsoft 6to4 implementation uses the address
  2002:V4ADDR::V4ADDR while Linux and BSD implementations default to
  2002:V4ADDR::1.  This could also be used as one way to identify an
  implementation."

"IPv4-compatible IPv6 addresses" could be worth describing as an even
better example of IPv6 tunnel end point address that is directly
deterministic from an IPv4 address.


The latest addressing architecture deprecates these addresses and v6ops is not recommending any mechanisms that use this kind of address, so I think I would prefer not to talk about IPv4 compatibles, even if they were once an issue.

I'm finding that on my Linux 6to4 tunnel interface, they are
automatically configured, which surprised me a bit. I'm also getting an
automatic ::/96 route pointing out my 6to4 tunnel which I don't think
makes sense. Looking at RFC2893, it seems that automatic assignment and a
::/96 route should happen if the OS supports "IPv4-compatible IPv6
addresses".

Possibly (thinking about it a bit more, probably) this could be
considered a Linux bug, as Linux isn't considering the difference
between a "IPv4-compatible IPv6 address" tunnel and a 6to4 tunnel. Even
if it is, I think automatic "IPv4-compatible IPv6 addresses" on
appropriate tunnels on Linux and other OSes would be an IPv6 security
concern, and therefore probably mentioned in this draft.

A minor nit. I'm not sure about the Linux default interface address of
::1 for 6to4 tunnels. Using either of the ifconfig and iproute2 utilities, I
don't seem to be able specify a prefix without a node address for a 6to4
tunnel, therefore asking Linux to select an interface address. I'd
suggest the "default" interface address of Linux 6to4 tunnels is ::1
probably only because of human nature when configuring the local 6to4
tunnel end point IPv6 address.


Do you want to alter the text? It currently states that Linux and BSD *default* to xx::1, which means that a more fastidious human has the option to do something else. Does it really need any more text?

Regards,
Elwyn

Regards,
Mark.