Hi, Fred, On 02/27/2013 03:31 PM, Templin, Fred L wrote: > > "As a result, blocking ISATAP by preventing hosts from > successfully performing name resolution for the > aforementioned names and/or by filtering packets with > specific IPv4 destination addresses is both difficult > and undesirable." > > I would like to understand this better. In particular, the > ISATAP service is by design disabled by disabling name > resolution for the name "isatap.domainname" and/or by > disabling the ISATAP router advertisement service. Can > you say why this would be difficult and undesirable?
Preventing name resolution is virtually impossible, since Windows nodes not only try to perform such resolution with DNS, but also with LLMNR. In order to block the latter, you should be able to achieve such filtering at layer 2 -- and that would be a bit onerous (not to mention how difficult that would be if fragmentation is employed). Since you never know what the isata domain names may resolve to, it's essentially impossible to block isatap packets based on a specific destination address (you'd need to know such address in advance in order to create the ACL). Please do let me know if this clarification has been of any help. Thanks, -- Fernando Gont SI6 Networks e-mail: [email protected] PGP Fingerprint: 6666 31C6 D484 63B2 8FB1 E3C4 AE25 0D55 1D4E 7492 _______________________________________________ OPSEC mailing list [email protected] https://www.ietf.org/mailman/listinfo/opsec
