Re: mh (RE: OMB: IPv6 by June 2008)

[Iljitsch van Beijnum <iljitsch () muada com>]

On 8-jul-2005, at 19:34, Fred Baker wrote:



> A NAT, in that context, is a stateful firewall that changes the  
> addresses, which means that the end station cannot use IPSEC to  
> ensure that it is still talking with the same system on the  
> outside. It is able to use TLS, SSH, etc as transport layer  
> solutions, but those are subject to attacks on TCP such as RST  
> attacks, data insertion, acknowledge hacking, and so on, and SSH  
> also has a windowing problem (on top of TCP's window, SSH has its  
> own window, and in large delay*bandwidth product situations SSH's  
> window is a performance limit). In other words, a NAT is a man-in- 
> the-middle attack, or is a device that forces the end user to  
> expose himself to man-in-the-middle attacks.

:-)





> A true stateful firewall that allows IPSEC end to end doesn't  
> expose the user to those attacks.

I of course couldn't resist, so:

!
ipv6 access-list out-ipv6-acl
 permit ipv6 any any reflect state-acl
!
ipv6 access-list in-ipv6-acl
 evaluate state-acl
 deny ipv6 any any log
!

(don't try this at home, kids: that deny any is dangerous because it  
blocks neighbor discovery)

Unfortunately, IPsec (ESP transport mode) isn't allowed back in:

%IPV6-6-ACCESSLOGNP: list in-ipv6-acl/20 denied 50 2001:1AF8:2:5::2 - 
> 2001:1AF8:6:0:20A:95FF:FEF5:246E, 29 packets

On second thought: how could it? The SPIs for outgoing and incoming  
packets are different. I suppose it would be possible for the  
stateful filter to snoop the ISAKMP protocol and install filter rules  
based on the information found there, but that's obviously not what  
happens.