Re: IPv4 mapped address considered harmful

[Mark Tinberg <tinberg () securepipe com>]

Thank you very much for your prompt response.

On Fri, 23 Aug 2002 itojun () iijlab net wrote:

> > >                  IPv4 mapped address considered harmful
> > >                draft-itojun-v6ops-v4mapped-harmful-00.txt

[snip]

> > No change to the IPv6 protocol or network stacks is required, one only 
> > needs to maintain existing best practices by using simple packet filtering 
> > devices.
>
>       did i suggest removing firewalls from your network?  i don't think so.
>       yes, if you install a firewall rule which drops ::ffff:0:0/96, you can
>       remedy the problem (to some degree).  however, given that there are
>       protocol proposals that make use of IPv4 mapped address on wire, you
>       will become incompatible with those proposals.

It would be nice if IPv6 firewalling products would auto-generate rules 
for the ::ffff:0:0/96 netblock based on your preexisting IPv4 rules, as 
otherwise you will have to recreate them by hand, introducing errors.  
That I think we agree on.  I don't think it will be necessary to filter 
out the entire ::ffff:0:0/96 netblock, making yourself incompatable with 
IPv4-in-IPv6 addressing though.

>       changes to protocol/network stack is required as firewall does not
>       remedy all of the problems presented in the draft (only some of them).

True, maybe I'm dense but I still don't see how the remaining problems are 
any different than current issues with IPv4 networks.  I can see how 
applications could make filtering a bit more difficult if the admin has to 
replicate all their filters (introducing errors) for both IPv4 and 
IPv4-in-IPv6 networks (filter out both 127.0.0.1 source and 
::ffff:127.0.0.1) but this shouldn't be an issue if the OS makes the IPv4 
address available to the application instead of the full IPv6 address.

Maybe we actually agree on the technical issues, but are having a symantic 
argument.  I don't see the difference in risk or resolution measures 
between the way things currently work, and the way they would work on an 
IPv6 network (although I'm no IPv6 expert so I may be misunderstanding 
things).   I do think it is a good idea to bring this up as many admins 
could easilly forget about IPv4-in-IPv6 addressing and fail to take it 
into account when designing their security infrastructure.



-- 
Mark Tinberg <MTinberg () securepipe com>
Network Security Engineer, SecurePipe Inc.
Remember:  Wherever you go, there you are!
Key fingerprint = AF6B 0294 EE33 D802 F7A1  38A4 CF52 5FE0 7470 E5F7

        Your daily fortune . . . 

The Commandments of the EE:

(7)     Work thou not on energized equipment for if thou doest so, thy
        friends will surely be buying beers for thy widow and consoling
        her in certain ways not generally acceptable to thee.