(usagi-users 02489) Re: ip6tables Feature Request

[Pekka Savola <pekkas@xxxxxxxxxx>]

On Fri, 25 Jul 2003, Elliott Mitchell wrote:
> > From: Pekka Savola <pekkas@xxxxxxxxxx>
> > On Thu, 24 Jul 2003, Elliott Mitchell wrote:
> > > The situations where it would be crucial don't appear to be common yet,
> > > but could a V6 target be created that passes a packet through the V4
> > > table?
> > > 
> > > Specifically for the case where there are IPv6-only hosts, and therefore
> > > V4-mapped addresses directly on the wire it would be very useful to
> > > filter those packets through the V4 tables. There is plenty of
> > > documentation on how to generate new tests/targets, but much less on how
> > > to hack a packet to test versus the V4 rules.
> > 
> > IPv4-mapped addresses on the wire are completely bogus.  DON'T DO THAT!
> 
> If all your hosts are dual-stack, yes. If your internal network is
> IPv6-only, and you have a NAT host converting to IPv4, then it may be
> valid. Currently as the hosts I worry about are dual stack these get
> dropped, I'm looking towards future needs.

Looking too far in the future is fruitless.

Note that the preferred mechanism for transition is dual-stack, not 
IPv6-only + protocol translation.

> > http://www.ietf.org/internet-drafts/draft-itojun-v6ops-v4mapped-harmful-01.txt
> 
> http://www.securityfocus.com/archive/1/289407/2002-08-22/2002-08-28/1
> 
> The alert that the _draft_ puts out is valid, though the conclusion is
> bogus. It brings up a new varient of an old attack that needs to watched
> for. The suggestion was for a module that could be used to make it easier
> to build an effective firewall.

I do not think this is the right thing to do.

-- 
Pekka Savola                 "You each name yourselves king, yet the
Netcore Oy                    kingdom bleeds."
Systems. Networks. Security. -- George R.R. Martin: A Clash of Kings