[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: WG Last Call draft-ietf-v6ops*secur*overview*

Hi Elwyn,

On Tue, 07 Jun 2005 16:16:28 +0100
Elwyn Davies <elwynd@dial.pipex.com> wrote:

> Thanks for the comments:
> 

No worries. Hope they're useful.

<snip>

> >
> >"Appendix A.  IPv6 Probing/Mapping Considerations"
> >
> >.
> >.
> >.
> >
> >"For example, automatic tunneling mechanisms use rather deterministic
> >   methods for generating IPv6 addresses, so probing/port-scanning an
> >   IPv6 node is simplified.  The IPv4 address is embedded at least in
> >   6to4, Teredo and ISATAP address.  Further than that, it's possible
> >   (in the case of 6to4 in particular) to learn the address behind the
> >   prefix; for example, Microsoft 6to4 implementation uses the address
> >   2002:V4ADDR::V4ADDR while Linux and BSD implementations default to
> >   2002:V4ADDR::1.  This could also be used as one way to identify an
> >   implementation."
> >
> >"IPv4-compatible IPv6 addresses" could be worth describing as an even
> >better example of IPv6 tunnel end point address that is directly
> >deterministic from an IPv4 address.
> >  
> >
> The latest addressing architecture deprecates these addresses and v6ops 
> is not recommending any mechanisms that use this kind of address, so I 
> think I would prefer not to talk about IPv4 compatibles, even if they 
> were once an issue.
> 

Oh, ok. I've seen it being discussed on the MLs, although I wasn't
reading the threads. I though it was only discussing the "IPv4-mapped
IPv6 Addresses" this draft discusses in section 2.2, specifically
representing an IPv4 address as an IPv6 address within the OS. I'm not
really a programmer, and I thought that the discussion was only covering
the IPv6 APIs and related IPv4/IPv6 issues.

Just to make sure we're both talking about the same things, are
"IPv4-mapped IPv6 Addresses" the same as "IPv4-compatible IPv6
addresses" ? The text in this draft says :

"the use of IPv4-mapped addresses
   has been extended to a transition mechanism, Stateless IP/ICMP
   Translation algorithm (SIIT) [RFC2765], where they are potentially
   used in the addresses of packets on the wire."

which I read to mean that before SIIT (RFC date February 2000),
"IPv4-mapped addresses" wouldn't be seen on the wire. Yet the first
"IPv4-compatible IPv6 addresses" RFC, RFC1933, is dated April 1996,
indicating that IPv4-compatible IPv6 addresses would be seen on the wire
prior to SIIT. That makes me wonder if we are talking about the same
thing ?

I'm happy to check the latest addressing architecture RFC or draft to
find out myself if they are the same.

If they are the same, this draft might benefit from using both terms in
the above text at least once to show that they are the same thing.

> >I'm finding that on my Linux 6to4 tunnel interface, they are
> >automatically configured, which surprised me a bit. I'm also getting an
> >automatic ::/96 route pointing out my 6to4 tunnel which I don't think
> >makes sense. Looking at RFC2893, it seems that automatic assignment and a
> >::/96 route should happen if the OS supports "IPv4-compatible IPv6
> >addresses".
> >
> >Possibly (thinking about it a bit more, probably) this could be
> >considered a Linux bug, as Linux isn't considering the difference
> >between a "IPv4-compatible IPv6 address" tunnel and a 6to4 tunnel. Even
> >if it is, I think automatic "IPv4-compatible IPv6 addresses" on
> >appropriate tunnels on Linux and other OSes would be an IPv6 security
> >concern, and therefore probably mentioned in this draft.
> >
> >A minor nit. I'm not sure about the Linux default interface address of
> >::1 for 6to4 tunnels. Using either of the ifconfig and iproute2 utilities, I
> >don't seem to be able specify a prefix without a node address for a 6to4
> >tunnel, therefore asking Linux to select an interface address. I'd
> >suggest the "default" interface address of Linux 6to4 tunnels is ::1
> >probably only because of human nature when configuring the local 6to4
> >tunnel end point IPv6 address.
> >  
> >
> Do you want to alter the text?  It currently states that Linux and BSD 
> *default* to xx::1, which means that a more fastidious human has the 
> option to do something else.  Does it really need any more text?
> 

That's the thing. I can't get "Linux" itself to default to ::1, because
I'm forced to specify a full IPv6 address, and being a lazy human _I'll_
pick ::1 by default for the interface ID. It seems that Linux itself
doesn't have a default value at all, and it is not possible to make
Linux pick one. If you've seen that "default" I think it is probably in
the scripts to setup a 6to4 tunnel, and they are distribution dependent.
I realise the difference is somewhat pedantic, however, I'd take a
statement that "Linux defaults to ::1" to mean that all distributions
based on the Linux kernel would default to ::1, and that may not be the
case, or if it is today, may not be in the future.

Thanks,
Mark.