Pekka Savola wrote: > > On Tue, 11 Dec 2001, Brian E Carpenter wrote: > > Pekka Savola wrote: > > > > > > On Tue, 11 Dec 2001, Brian E Carpenter wrote: > > > > Pekka Savola wrote: > > > > ... > > > > > > > >http://www.ietf.org/internet-drafts/draft-savola-ngtrans-6to4-security-00.txt > > > > > > > > > > > > (by the way, comments would be welcome ;-) > > > > ... > > > > > > > > > > > Your discussion about what should not happen are already in RFC 3056 > > > > > > security issues. > > > > > > > > > > Some are, some aren't. But the main point was, that RFC 3056 rules were a > > > > > little abstract (and as a matter of fact, wrong in one sentence), so that > > > > > they were basically unimplementable and rather non-understandable. This > > > > > is noted in the introduction. > > > > > > > > There's no harm in an informational document making the RFC 3056 security > > > > rules more explicit, although the details are certainly implementation > > > > dependent. However, I can't find in your draft a clear reference to the > > > > sentence in 3056 that you believe is wrong. > > > > > > It's not noted in the draft, but it was mentioned on ngtrans list. > > > > > > In security considerations: > > > > > > A possible > > > plausibility check is whether the encapsulating IPv4 address is > > > consistent with the encapsulated 2002:: address. If this check is > > > applied, exceptions to it must be configured to admit traffic from > > > relay routers (Section 5). > > > > > > The latter sentence makes no sense and is confusing, as the only packets > > > coming from relay have the native source address, not 2002::/16, and > > > destination need not be excepted if it is checked. > > > > Sorry, I think you are wrong. If the source of a packet is a normal > > 6to4 router, the outer IPv4 source address must be consistent(*) with the > > V4ADDR of the source address in the embedded 2002:: packet. > > This is an issue with multihomed, but that does not affect discussion > here.
It has absolutely nothing to do with multihoming, except for my footnote(*) on the meaning of "consistent". > > Anyway, multihomed IMO probably should select IPv4 address that matches > matches the prefix. I see little reason to support the asymmetry (one > 6to4 prefix, multiple IPv4 addresses). In multihoming scenario, this > would be useful only when one connection fails, but then the return > packets could not be delivered anyway. > > > But if the source of the packet is a 6to4 relay, the inner source address > > may be a native IPv6 address that would fail the consistency check, > > so the check must be skipped. That's what the second sentence says. > > The sentence refers to: > > whether the encapsulating IPv4 address is consistent with the encapsulated > 2002:: address. > > 1) You cannot receive IPv6 packets from *relay* which have 2002::/16 > prefix. If you do, someone is using 6to4 improperly. We agree on this. Actually, the relay (according to RFC 3056) is a 6to4 router that also has a native IPv6 interface. It certainly can source 2002: packets from its own site, as well as native source addresses from the native interface. You can apply the consistency check, but not to relayed packets with a native source address. > > 2) How do you check that 3ffe:ffff::1 is consistant with an IPv4 address? > > You cannot check *consistancy* unless the addresses are of form > 2002:<anything at all> and <IPv4 anything at all>. Only 2002 and IPv4 can > be compared. Yes. 3056 says nothing different. I see no error in the 3056 text. Brian -------------------------------------------------------------------- IETF IPng Working Group Mailing List IPng Home Page: http://playground.sun.com/ipng FTP archive: ftp://playground.sun.com/pub/ipng Direct all administrative requests to [EMAIL PROTECTED] --------------------------------------------------------------------
