Subject: Re: IPv6 and ipf question...
To: Mason Loring Bliss <mason@acheron.middleboro.ma.us>
From: None <itojun@iijlab.net>
List: tech-security
Date: 05/11/2000 11:35:31
by mail.netbsd.org with SMTP; 11 May 2000 02:35:48 -0000
by coconut.itojun.org (8.9.3+3.2W/3.7W) with ESMTP id LAA09778;
Thu, 11 May 2000 11:35:31 +0900 (JST)
To: Mason Loring Bliss <mason@acheron.middleboro.ma.us>
cc: tech-security@netbsd.org
In-reply-to: mason's message of Wed, 10 May 2000 22:18:33 -0400.
<20000510221833.D3865@acheron.middleboro.ma.us>
Subject: Re: IPv6 and ipf question...
From: itojun@iijlab.net
Date: Thu, 11 May 2000 11:35:31 +0900
Message-ID: <9776.958012531@coconut.itojun.org>
>> do you want to filter in IPv6 layer, or filter encapsulated packets?
>Wait... Using gif0, aren't those two things the same?
yes, if you filter on gif, configured to do IPv6-over-IPv4 tunnel,
you will filter on IPv6 layer.
>Or are you saying
>that it might be possible for other folks to step into the conversation
>between my gif0 and freenet6, such that I'd want to filter the IPv4
>packets carrying my IPv6 traffic? This makes me aware of my general
>lack of a clue regarding exactly how gif0 works / authenticates / talks.
gif has no authentication at all. gif captures tunnelled packet
based on IPv4 (or outer) src/dst pair only.
anyone can inject to your site a tunnelled packet. so depending
on security requirement at your site, you may need to filter out,
IPv4-wise, tunnelled packet (IPv4 proto 41) with unexpected IPv4
src/dst pair. I really hope to see more deployment of native IPv6
(or IPv4/v6 dual stack) leased line connection, rather than tunnels.
>> if the latter, you may want to reject packets from unknown parties
>> (i.e. non-freenet6) that has IP protocol # 41 (NOT tcp/udp port #).
>Hm... So, gif0 isn't using tcp or udp? I need to UTSL. I was thinking
>of the former, but the latter is doubtless worth doing as well. Thanks
>for the suggestion, and all the cool IPv6 work.
If you do IPv6-over-IPv4 over gif interface, packets are based on
RFC1933 section 4.2. it is not TCP nor UDP.
>Now if I can only get IPv6 on the Macintoshes, I could run it internally...
>Urgh. Apple's web site talks about IPv6 and IPsec in terms of their being
>hot topics for WWDC 2000. Oh well. :)
I'd love to see IPv6-ready MacOS sooner.
itojun
11:31:42.604955 203.178.140.203 > 202.232.15.98: fe80::2e0:18ff:fe98:2725.521 > ff02::9.521: ripng-resp 17:[|rip] (len 352, hlim 255) (ttl 26, id 41532)
4500 019c a23c 0000 1a29 ca34 cbb2 8ccb
cae8 0f62 6000 0000 0160 11ff fe80 0000
v4 header--------> <-- v6 header
0000 0000 02e0 18ff fe98 2725 ff02 0000
0000 0000 0000 0000 0000 0009 0209 0209
v6 header --->
0160 d59a 0201 0000 0000 0000 0000 0000
0000