I think most of the items are replied in reply to Brian.
>> there's no way for the current API to recognize IPv4 traffic on top
>> of AF_INET6 socket (appears as IPv4 mapped address), and native
>> IPv6 traffic with IPv4 mapped address in the header). at least
>> we need to provide the functionality.
>Why does there need to be a distinction? In either case the communication
>is with an IPv4 host. I don't understand why, from a policy point of view,
>it matters to the target host whether the packet was routed directly
>using IPv4 or translated into IPv6 from IPv4 by a SIIT box. The initiating
>host is an IPv4 host by virtue of the fact that the address is a IPv4 mapped
>IPv6 address.
What i'm worrying about is,
- when we are outside of SIIT cloud and
- when we got an IPv6 packet with IPv4 mapped address as src/dst.
This is the third case in the following chart. Sorry if I was not
clear enough.
For the case, I can do nothing but consider the packet as malicious,
as no specification gives me any interpretation, and the packet
is indeed usable to inpersonate some IPv4 peer.
Just to be clear, documents are like below.
- RFC2373 is silent about this case, RFC2373 only says that
the IPv4 mapped address indicates IPv4 peer. in the third case,
however, this does not really indicate IPv4 peer.
- RFC2553 is also silent about this case, it talks about how
real IPv4 peer is presented on AF_INET6 API.
- SIIT is not the document to look at.
in/out of IP version/src/dst what does the getpeername sees
SIIT cloud of packet src represents?
--- --- --- ---
inside IPv6, IPv4 mapped SIIT-translated IPv4 mapped
IPv4 peer on AF_INET6
inside IPv4 shouldn't happen can't accept
it (IPv6 only)
outside IPv6, IPv4 mapped inpersonater IPv4 mapped on
(IMHO) AF_INET6
outside IPv4 real IPv4 peer IPv4 mapped
on AF_INET6
(2553 behavior)
or IPv4 on
AF_INET
itojun
--------------------------------------------------------------------
IETF IPng Working Group Mailing List
IPng Home Page: http://playground.sun.com/ipng
FTP archive: ftp://playground.sun.com/pub/ipng
Direct all administrative requests to [EMAIL PROTECTED]
--------------------------------------------------------------------