[26827] in bugtraq
Re: IPv4 mapped address considered harmful
daemon@ATHENA.MIT.EDU (itojun@iijlab.net)
Tue Aug 27 14:43:31 2002
To: Anthony DeRobertis <asd@suespammers.org>
In-reply-to: asd's message of 27 Aug 2002 00:18:28 -0400. <1030421908.10236.6.camel@bohr>
X-Template-Reply-To: itojun@itojun.org
X-Template-Return-Receipt-To: itojun@itojun.org
From: itojun@iijlab.net
Date: Tue, 27 Aug 2002 13:32:12 +0900
Message-Id: <20020827043212.5A21E4B23@coconut.itojun.org>
>> This ambiguity creates chances to malicious party to trick victim nodes.
>> Here are a couple of examples:
>How are these any different than with IPv4? I can send bad source
>addresses in IPv4 just as easily as in IPv6. IPv6 might even make it
>easier to do, e.g., reverse-path filtering (less prefixes to worry
>about).
the key difference is that it may be possible to circumvent IPv4
filters by using IPv4 mapped address (= IPv6 address like
::ffff:1.2.3.4). the problem is in additional complexity due to
the interaction between IPv4 packet and IPv6 API/packet.
>Any kernel that takes a packet saying it is from the local host
>off the wire is broken.
>Any firewall that allows through a packet from the Internet saying
>it is from the LAN is broken.
i agree with these, but some of the specifications (like SIIT)
assume the use of IPv4 mapped address on wire, making it harder
for firewalls/hosts to deal with bad addresses.
itojun
