Educause Security Discussion mailing list archives
Re: IPv6 Tunnels
From: Valdis Kletnieks <Valdis.Kletnieks () VT EDU>
Date: Tue, 15 Feb 2005 12:13:08 -0500
On Tue, 15 Feb 2005 11:49:18 EST, Gary Flynn said:
A student run unix server has been set up as an IPv6 tunnel for academic experimentation and learning. I'm worried about IPv6 tunnels inadvertently bypassing border access controls.
Well... there's 2 possibilities. One is that it's a 6-over-4 tunnel, in which case your border router only sees the IPv4 encapsulation. But you *ALREADY* know how to deal with this - it's exactly the same issue as an incoming VPN or SSL connection. (If you don't already handle this case, you've got bigger problems than IPv6). Another issue is if it's a native IPv6 connection if your site has rolled that out. Make sure that any IPv4 ACLs on the border routers have equivalent IPv6 ACLs in place. Common cause of screw-ups in filtering: Forgetting about IPv6 addresses in the ffff: prefix - those are encapsulated IPv4 addresses.... ********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/groups/.
Attachment:
_bin
Description:
Current thread:
- IPv6 Tunnels Gary Flynn (Feb 15)
- <Possible follow-ups>
- Re: IPv6 Tunnels Valdis Kletnieks (Feb 15)
- Re: IPv6 Tunnels Joe St Sauver (Feb 15)