by mail.netbsd.org with SMTP; 11 May 2000 02:18:36 -0000
	by acheron.middleboro.ma.us (8.10.1/8.10.1) id e4B2IXV07443;
	Wed, 10 May 2000 22:18:33 -0400 (EDT)
Date: Wed, 10 May 2000 22:18:33 -0400
From: Mason Loring Bliss <mason@acheron.middleboro.ma.us>
To: itojun@iijlab.net
Cc: tech-security@netbsd.org
Subject: Re: IPv6 and ipf question...
Message-ID: <20000510221833.D3865@acheron.middleboro.ma.us>
References: <20000509174950.F357@acheron.middleboro.ma.us> <24396.957920188@coconut.itojun.org>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
In-Reply-To: <24396.957920188@coconut.itojun.org>; from itojun@iijlab.net on Wed, May 10, 2000 at 09:56:28AM +0900

On Wed, May 10, 2000 at 09:56:28AM +0900, itojun@iijlab.net wrote:

> do you want to filter in IPv6 layer, or filter encapsulated packets?

Wait... Using gif0, aren't those two things the same? Or are you saying
that it might be possible for other folks to step into the conversation
between my gif0 and freenet6, such that I'd want to filter the IPv4
packets carrying my IPv6 traffic? This makes me aware of my general
lack of a clue regarding exactly how gif0 works / authenticates / talks.


> if the latter, you may want to reject packets from unknown parties
> (i.e. non-freenet6) that has IP protocol # 41 (NOT tcp/udp port #).

Hm... So, gif0 isn't using tcp or udp? I need to UTSL. I was thinking
of the former, but the latter is doubtless worth doing as well. Thanks
for the suggestion, and all the cool IPv6 work.

Now if I can only get IPv6 on the Macintoshes, I could run it internally...
Urgh. Apple's web site talks about IPv6 and IPsec in terms of their being
hot topics for WWDC 2000. Oh well. :)

-- 
    Mason Loring Bliss  mason@acheron.middleboro.ma.us  They also surf who
awake ? sleep : dream;  http://acheron.ne.mediaone.net  only stand on waves.