[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: One socket per AF (Was: 6to4 using ::FFFF:0000:0000/96...)
Thanks for the detailed answer.
My comments are in line.
Kevin Day a écrit :
On Jan 28, 2008, at 9:44 AM, Rémi Després wrote:
Jeroen Massar wrote :
But using it on the wire or when presenting it to users is definitely
not.
Why ???
The problem with presenting v4 mapped/compatibility addresses on the
wire is that the behavior of such packets has been left undefined so far.
* How these packets should be routed is completely undefined.
I agree that there is some blank here.
However If a route is configured, with the 0::/64 prefix, to reach
NATv6-v4 boxes, the longest prefix match will do what is expected.
Any other assumption would require some extra code.
Should
routers handle them as though they were normal v6 unicast addresses? Or
should they look at the v4 address and route them the same way as though
it were v4?
NO.
What about "special" v4 addresses (127.0.0.1, multicast,
etc)? From my very limited testing, it looks like Juniper routers drop
them, even if you add specific routes within the /96s for them. Our very
IPv4 multicast destinations will have, and must have, the same fate in
NATv4-v4s.
* There seems to be no behavior for 6to4, Teredo or tunnel brokers to do
that results in anything working when receiving packets destined
to/sourced from these addresses.
Hosts considered here are assumed to be pure IPv6, and to be in sites
where NATv6-v4 is available.
Boxes that do the NATv6-v4 may also have other means to tunnel IPv6 in
IPv4.
There is no conflict because these other means act when destinations are
IPv6, not IPv4-only.
* There are profound security implications of allowing v4
mapped/compatibility addresses into your network. I'm not aware of any
firewall or security device that will handle v4 mapped/compatibility
addressed v6 packets, while still handling any of the behaviors
considered for v4. One example brought up on one of the FreeBSD mailing
lists long ago, before "net.inet6.ip6.v6only" got defaulted to "1"
(essentially turning off v4 compatibility address use) was something like:
# Add a firewall rule keeping everyone out of my telnet server. All
packets from anywhere to 1.2.3.4 to port 23 are dropped.
ipfw add drop tcp from any to 1.2.3.4 23
Now, even if this host has no v6 configured beyond an auto-configured
link-local address, it was possible to "telnet ::FFFF:0102:0304" from
somewhere else on the LAN and bypass the firewall.
I am not sure I see the configuration.
But the NATv6-v4 I discuss being only for outgoing connections, it seems
guaranteed that it cannot not create a new hole for incoming connections.
Since then changes
were made to prevent this sort of thing in the simplest of cases (v4
compatibility addresses off by default, not accepting them over the wire
at any time, etc).
While that's a really simplistic example, it shows that allowing these
packets on the wire adds an attack vector that wouldn't be considered by
most. Its giving attackers three different ways of expressing the same
address(v4 native, mapped, and compatibility) which doesn't take much
imagination to see being exploited.
The mapped address is only to express the public address of IPv4-only
hosts where native such addresses cannot be used (in IPv6-only
applications and at IPv6 link interfaces of IPv6-only hosts).
It is not one more way to do something already done.
* There's no standard for how clients/servers should respond to these,
leading to breakage already. If you send a Linux server a packet to
::FFFF:0102:0304 it responds back using its v4 stack with 1.2.3.4.
Windows uses its v6 stack, even when it probably doesn't make sense to
(through 6to4/Teredo tunnels). Mac OS X and the BSDs drop all packets in
::FFFF:0:0/96 and ::/96 going in/out.
The case at hand is for an IPv6-only host reaching IPv4-only servers.
These servers will not see any mapped address.
The only time I could ever see them being acceptable is on a link-local
scope, and only to/from your gateway for NAT-PT,
It would work as well in multi-subnet sites provided both IPv6 and IPv4
are routed (and that the 0::/64 prefix is not artificially forbidden in
intra-site routers).
and only in the case
where you've got a v6-ONLY box that must talk to a v4 device.
This "only" case is IMHO worth dealing with.
It could very well become soon a practical case, when boxes that support
NATv4-v4 also support NATv6-v4, a rather simple an extension (longer
address support in NAT tables).
Even then
though, it feels wrong. :)
I do hope you will soon feel differently, and even enthousiastic as I am
about this simple solution to a real problem.
Thanks again for the discussion.
Rémi