Re: IPv4 mapped address considered harmful

From: itojun@iijlab.net
Date: 08/23/02 

To: Mark Tinberg <tinberg@securepipe.com>
From: itojun@iijlab.net
Date: Fri, 23 Aug 2002 09:35:42 +0900

>> IPv4 mapped address considered harmful
>> draft-itojun-v6ops-v4mapped-harmful-00.txt
>
>I'm not sure that I agree with your analysis. The security implications
>of IPv4-in-IPv6 addressing are no different than IPv4 addressing today.
>Rolling out IPv6 will not remove the need for packet filtering routers
>and firewalls. One can currently send IPv4 packets with the source
>address set to 127.0.0.1 or 255.255.255.255 with undesirable effects,
>these packets should be blocked at your border and not allowed into your
>network, the same with :ffff::127:0:0:1.
>
>No change to the IPv6 protocol or network stacks is required, one only
>needs to maintain existing best practices by using simple packet filtering
>devices.

        did i suggest removing firewalls from your network? i don't think so.
        yes, if you install a firewall rule which drops ::ffff:0:0/96, you can
        remedy the problem (to some degree). however, given that there are
        protocol proposals that make use of IPv4 mapped address on wire, you
        will become incompatible with those proposals.

        changes to protocol/network stack is required as firewall does not
        remedy all of the problems presented in the draft (only some of them).

itojun

Relevant Pages

  • Re: IPv4 mapped address considered harmful
    ... The security implications ... of IPv4-in-IPv6 addressing are no different than IPv4 addressing today. ... Rolling out IPv6 will not remove the need for packet filtering routers ... Network Security Engineer, SecurePipe Inc. ...
    (Bugtraq)
  • Re: [fw-wiz] IPv6 and IPSec
    ... > IPSec based security is MUST for IPv6. ... > scanning/spam scanning engines. ... IPSec will not be a tunnel in IPv6. ... Where simple packet filtering will continue to be used, ...
    (Firewall-Wizards)
Quantcast