[26842] in bugtraq
Re: IPv4 mapped address considered harmful
daemon@ATHENA.MIT.EDU (itojun@iijlab.net)
Tue Aug 27 16:13:45 2002
To: Mark Tinberg <tinberg@securepipe.com>
In-reply-to: tinberg's message of Thu, 22 Aug 2002 19:31:55 EST.
<Pine.LNX.4.44.0208221922590.3939-100000@tinberg.wi.securepipe.com>
X-Template-Reply-To: itojun@itojun.org
X-Template-Return-Receipt-To: itojun@itojun.org
From: itojun@iijlab.net
Date: Fri, 23 Aug 2002 09:35:42 +0900
Message-Id: <20020823003542.278C94B23@coconut.itojun.org>
>> IPv4 mapped address considered harmful
>> draft-itojun-v6ops-v4mapped-harmful-00.txt
>
>I'm not sure that I agree with your analysis. The security implications
>of IPv4-in-IPv6 addressing are no different than IPv4 addressing today.
>Rolling out IPv6 will not remove the need for packet filtering routers
>and firewalls. One can currently send IPv4 packets with the source
>address set to 127.0.0.1 or 255.255.255.255 with undesirable effects,
>these packets should be blocked at your border and not allowed into your
>network, the same with :ffff::127:0:0:1.
>
>No change to the IPv6 protocol or network stacks is required, one only
>needs to maintain existing best practices by using simple packet filtering
>devices.
did i suggest removing firewalls from your network? i don't think so.
yes, if you install a firewall rule which drops ::ffff:0:0/96, you can
remedy the problem (to some degree). however, given that there are
protocol proposals that make use of IPv4 mapped address on wire, you
will become incompatible with those proposals.
changes to protocol/network stack is required as firewall does not
remedy all of the problems presented in the draft (only some of them).
itojun
