[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: But are we talking IPv6 only? That's how I read the draft. (Re: Some suggestions for draft-ietf-v6ops-cpe-simple-security-03)
Hi James,
On Wed, 27 Aug 2008 12:12:28 -0700
james woodyatt <jhw@apple.com> wrote:
> On Aug 27, 2008, at 03:17, Mark Smith wrote:
> > * Native IPv6 CPE security, plus IPv4 security/functionality
> > requirements to support IPv6 transition via IPv4 tunnelling
>
> It was my understanding that this is the proper scope, not the
> alternatives you mentioned.
>
In that case, I'd still strongly suggest limiting the IPv6 in IPv6
tunnel support to authenticated protocols only. Bypassing the CPE
security using a linux box (or anything else that supports end-user
manually configured tunnels, on which the user has admin priviledges)
will be as simple as something like this (syntax probably not right ,
but that's because I've got a few minutes before I need to get ready for
work):
# ip -6 tunnel add v6cpe-bypass remote 2001:<public node address>
# nmap -e v6cpe-bypass
As I understand the current draft, this would completely bypass any and
all of the IPv6 security mechanisms in the device - and because it's so
easy to do, anybody who wants to make an attempt at attacking an
end-node will do so this way. Only permitting inbound authenticated
tunneling protocols like IPsec, l2tp or pptp would easily defeat that.
Regards,
Mark.