Subject: Re: IPv6 and ipf question...
To: Mason Loring Bliss <mason@acheron.middleboro.ma.us>
From: None <itojun@iijlab.net>
List: tech-security
Date: 05/11/2000 11:35:31 
  by mail.netbsd.org with SMTP; 11 May 2000 02:35:48 -0000
	by coconut.itojun.org (8.9.3+3.2W/3.7W) with ESMTP id LAA09778;
	Thu, 11 May 2000 11:35:31 +0900 (JST)
To: Mason Loring Bliss <mason@acheron.middleboro.ma.us>
cc: tech-security@netbsd.org
In-reply-to: mason's message of Wed, 10 May 2000 22:18:33 -0400.
      <20000510221833.D3865@acheron.middleboro.ma.us>
Subject: Re: IPv6 and ipf question...
From: itojun@iijlab.net
Date: Thu, 11 May 2000 11:35:31 +0900
Message-ID: <9776.958012531@coconut.itojun.org>


>> do you want to filter in IPv6 layer, or filter encapsulated packets?
>Wait... Using gif0, aren't those two things the same?

	yes, if you filter on gif, configured to do IPv6-over-IPv4 tunnel,
	you will filter on IPv6 layer.

>Or are you saying
>that it might be possible for other folks to step into the conversation
>between my gif0 and freenet6, such that I'd want to filter the IPv4
>packets carrying my IPv6 traffic? This makes me aware of my general
>lack of a clue regarding exactly how gif0 works / authenticates / talks.

	gif has no authentication at all.  gif captures tunnelled packet
	based on IPv4 (or outer) src/dst pair only.

	anyone can inject to your site a tunnelled packet.  so depending
	on security requirement at your site, you may need to filter out,
	IPv4-wise, tunnelled packet (IPv4 proto 41) with unexpected IPv4
	src/dst pair.  I really hope to see more deployment of native IPv6
	(or IPv4/v6 dual stack) leased line connection, rather than tunnels.

>> if the latter, you may want to reject packets from unknown parties
>> (i.e. non-freenet6) that has IP protocol # 41 (NOT tcp/udp port #).
>Hm... So, gif0 isn't using tcp or udp? I need to UTSL. I was thinking
>of the former, but the latter is doubtless worth doing as well. Thanks
>for the suggestion, and all the cool IPv6 work.

	If you do IPv6-over-IPv4 over gif interface, packets are based on
	RFC1933 section 4.2.  it is not TCP nor UDP.

>Now if I can only get IPv6 on the Macintoshes, I could run it internally...
>Urgh. Apple's web site talks about IPv6 and IPsec in terms of their being
>hot topics for WWDC 2000. Oh well. :)

	I'd love to see IPv6-ready MacOS sooner.

itojun



11:31:42.604955 203.178.140.203 > 202.232.15.98: fe80::2e0:18ff:fe98:2725.521 > ff02::9.521:  ripng-resp 17:[|rip] (len 352, hlim 255) (ttl 26, id 41532)
                         4500 019c a23c 0000 1a29 ca34 cbb2 8ccb
                         cae8 0f62 6000 0000 0160 11ff fe80 0000
		v4 header--------> <-- v6 header
                         0000 0000 02e0 18ff fe98 2725 ff02 0000
                         0000 0000 0000 0000 0000 0009 0209 0209
					v6 header --->
                         0160 d59a 0201 0000 0000 0000 0000 0000
                         0000