On Tue, 11 Dec 2001, Brian E Carpenter wrote: > Pekka Savola wrote: > > > > On Tue, 11 Dec 2001, Brian E Carpenter wrote: > > > Pekka Savola wrote: > > > ... > > > > > > >http://www.ietf.org/internet-drafts/draft-savola-ngtrans-6to4-security-00.txt > > > > > > > > > > (by the way, comments would be welcome ;-) > > > ... > > > > > > > > > Your discussion about what should not happen are already in RFC 3056 > > > > > security issues. > > > > > > > > Some are, some aren't. But the main point was, that RFC 3056 rules were a > > > > little abstract (and as a matter of fact, wrong in one sentence), so that > > > > they were basically unimplementable and rather non-understandable. This > > > > is noted in the introduction. > > > > > > There's no harm in an informational document making the RFC 3056 security > > > rules more explicit, although the details are certainly implementation > > > dependent. However, I can't find in your draft a clear reference to the > > > sentence in 3056 that you believe is wrong. > > > > It's not noted in the draft, but it was mentioned on ngtrans list. > > > > In security considerations: > > > > A possible > > plausibility check is whether the encapsulating IPv4 address is > > consistent with the encapsulated 2002:: address. If this check is > > applied, exceptions to it must be configured to admit traffic from > > relay routers (Section 5). > > > > The latter sentence makes no sense and is confusing, as the only packets > > coming from relay have the native source address, not 2002::/16, and > > destination need not be excepted if it is checked. > > Sorry, I think you are wrong. If the source of a packet is a normal > 6to4 router, the outer IPv4 source address must be consistent(*) with the > V4ADDR of the source address in the embedded 2002:: packet.
This is an issue with multihomed, but that does not affect discussion here. Anyway, multihomed IMO probably should select IPv4 address that matches matches the prefix. I see little reason to support the asymmetry (one 6to4 prefix, multiple IPv4 addresses). In multihoming scenario, this would be useful only when one connection fails, but then the return packets could not be delivered anyway. > But if the source of the packet is a 6to4 relay, the inner source address > may be a native IPv6 address that would fail the consistency check, > so the check must be skipped. That's what the second sentence says. The sentence refers to: whether the encapsulating IPv4 address is consistent with the encapsulated 2002:: address. 1) You cannot receive IPv6 packets from *relay* which have 2002::/16 prefix. If you do, someone is using 6to4 improperly. We agree on this. 2) How do you check that 3ffe:ffff::1 is consistant with an IPv4 address? You cannot check *consistancy* unless the addresses are of form 2002:<anything at all> and <IPv4 anything at all>. Only 2002 and IPv4 can be compared. -- Pekka Savola "Tell me of difficulties surmounted, Netcore Oy not those you stumble over and fall" Systems. Networks. Security. -- Robert Jordan: A Crown of Swords -------------------------------------------------------------------- IETF IPng Working Group Mailing List IPng Home Page: http://playground.sun.com/ipng FTP archive: ftp://playground.sun.com/pub/ipng Direct all administrative requests to [EMAIL PROTECTED] --------------------------------------------------------------------
