[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
(usagi-users 02485) Re: ip6tables Feature Request
- To: usagi-users@xxxxxxxxxxxxxx
- Subject: (usagi-users 02485) Re: ip6tables Feature Request
- From: Elliott Mitchell <ehem@xxxxxxx>
- Date: Fri, 25 Jul 2003 00:05:53 -0700 (PDT)
- In-reply-to: <Pine.LNX.4.44.0307250632110.12224-100000@netcore.fi>
- Reply-to: usagi-users@xxxxxxxxxxxxxx
> From: Pekka Savola <pekkas@xxxxxxxxxx>
> On Thu, 24 Jul 2003, Elliott Mitchell wrote:
> > The situations where it would be crucial don't appear to be common yet,
> > but could a V6 target be created that passes a packet through the V4
> > table?
> >
> > Specifically for the case where there are IPv6-only hosts, and therefore
> > V4-mapped addresses directly on the wire it would be very useful to
> > filter those packets through the V4 tables. There is plenty of
> > documentation on how to generate new tests/targets, but much less on how
> > to hack a packet to test versus the V4 rules.
>
> IPv4-mapped addresses on the wire are completely bogus. DON'T DO THAT!
If all your hosts are dual-stack, yes. If your internal network is
IPv6-only, and you have a NAT host converting to IPv4, then it may be
valid. Currently as the hosts I worry about are dual stack these get
dropped, I'm looking towards future needs.
> http://www.ietf.org/internet-drafts/draft-itojun-v6ops-v4mapped-harmful-01.txt
http://www.securityfocus.com/archive/1/289407/2002-08-22/2002-08-28/1
The alert that the _draft_ puts out is valid, though the conclusion is
bogus. It brings up a new varient of an old attack that needs to watched
for. The suggestion was for a module that could be used to make it easier
to build an effective firewall.
--
(\___(\___(\______ --=> 8-) EHM <=-- ______/)___/)___/)
\ ( | EHeM@xxxxxxxxxxxxxxx PGP 8881EF59 | ) /
\_ \ | _____ -O #include <stddisclaimer.h> O- _____ | / _/
\___\_|_/82 04 A1 3C C7 B1 37 2A*E3 6E 84 DA 97 4C 40 E6\_|_/___/