Hi, Pls see my comments as below:
a) Yes, maybe DNS AAAA filtering can be mentioned in a separate new section. b) No, I do not mean ICMPv6 errors only, but all ICMPv6 messages (which should not be there in IPv4-only network right??). So a Network IDS/IPS can filter/block ICMPv6 traffic (similar to RA guard, detect-block DHCPv6, etc). I am not sure if this works. But suppose a malicious host knows a Dual Stack Host MAC address via ARP, can it uses ICMPv6 Neigh Solicit/Discovery to trick Dual Stack Host to connect/route IPv6 packets to it, which in turn can do a NAT64 send out to outside world? [Dual stack]<--IPv6-->[Malicious Host doing NAT64, DNS64, etc]<--IPv4-->[IPv4 only router]<-->(Outside world) If I am not wrong, most IETF suggestions are to try IPv6 first, then fall back to IPv4 (e.g. behaviour of DNS64?? Try AAAA then A??). Hence, in IPv4 only network, ICMPv6 (using ARP info) can be used for Man-In-Middle?? On Tue, Dec 18, 2012 at 10:56 AM, Fernando Gont <[email protected]>wrote: > Hi, Simon, > > Thanks so much for your feedback! Please find my comments inline.... > > On 12/17/2012 10:28 PM, Simon Eng wrote: > > Hi, > > > > If I am not wrong, the 3 key parts for > > draft-ietf-opsec-ipv6-implications-on-ipv4-nets-01 are: > > > > Section 1 Introduction/Problem Statement > > Section 2 Filtering Native IPv6 > > Section 3 Filtering Transition > > > > Hence, from Wes's suggestion, DNS filtering should be added (maybe > > Section 3??). > > Wes's suggestions seems to be to do DNS AAAA filtering *when* you do > native/transition traffic filtering... > > > > > Another scenario to consider for DNS is a malicious host > > on the IPv4 network acting as an IPv6 Router-cum-DNS64 => spoof DNS AAAA > > replies so that dual-stack hosts will route IPv6 traffic to malicious > > host => Man-In-Middle attack?? > > Yep. This should probaly be added to the intro -- if it's not already > there.... > > > > > In Section 2, only DHCPv6 & RA are mentioned. I'd like to suggest > > filtering of ICMPv6 too. > > You mean ICMPv6 errors, or what? > > Thanks! > > Best regards, > -- > Fernando Gont > SI6 Networks > e-mail: [email protected] > PGP Fingerprint: 6666 31C6 D484 63B2 8FB1 E3C4 AE25 0D55 1D4E 7492 > > > > >
_______________________________________________ OPSEC mailing list [email protected] https://www.ietf.org/mailman/listinfo/opsec
