Hi, Simon, On 12/18/2012 12:44 AM, Simon Eng wrote: > a) Yes, maybe DNS AAAA filtering can be mentioned in a separate new > section.
My take is that this kind of filtering is meant t complement the kind of filtering already discussed in the document. In such case, the corresponding text shuld be added to some of the existing section(s). > b) No, I do not mean ICMPv6 errors only, but all ICMPv6 messages (which > should not be there in IPv4-only network right??). So a Network IDS/IPS > can filter/block ICMPv6 traffic (similar to RA guard, detect-block > DHCPv6, etc). The discussion of RA-Guard and DHCPv6-Shield is meant to prevent an attacker from successfully triggerring v6-conectivity at the target hosts, and is a layer-2 filtering. For other packets, you proaby simply ant to filter IPv6 packets , with such a coarse granularity. > I am not sure if this works. But suppose a malicious host knows a Dual > Stack Host MAC address via ARP, can it uses ICMPv6 Neigh > Solicit/Discovery to trick Dual Stack Host to connect/route IPv6 packets > to it, which in turn can do a NAT64 send out to outside world? Except for linklocl traffi, this shoudl be performed in conjunction with other attacks 7e.g., forging RAs). > If I am not wrong, most IETF suggestions are to try IPv6 first, then > fall back to IPv4 (e.g. behaviour of DNS64?? Try AAAA then A??). Hence, > in IPv4 only network, ICMPv6 (using ARP info) can be used for > Man-In-Middle?? Yes. Although that implies you already have some v6 connectivity. Thanks! Cheers, -- Fernando Gont SI6 Networks e-mail: [email protected] PGP Fingerprint: 6666 31C6 D484 63B2 8FB1 E3C4 AE25 0D55 1D4E 7492 _______________________________________________ OPSEC mailing list [email protected] https://www.ietf.org/mailman/listinfo/opsec
