Hi Fernando, > -----Original Message----- > From: Fernando Gont [mailto:[email protected]] > Sent: Thursday, February 28, 2013 9:10 PM > To: Templin, Fred L > Cc: [email protected] > Subject: Re: [OPSEC] comment on 'draft-ietf-opsec-ipv6-implications-on- > ipv4-nets' > > Hi, Fred, > > On 02/27/2013 03:31 PM, Templin, Fred L wrote: > > > > "As a result, blocking ISATAP by preventing hosts from > > successfully performing name resolution for the > > aforementioned names and/or by filtering packets with > > specific IPv4 destination addresses is both difficult > > and undesirable." > > > > I would like to understand this better. In particular, the > > ISATAP service is by design disabled by disabling name > > resolution for the name "isatap.domainname" and/or by > > disabling the ISATAP router advertisement service. Can > > you say why this would be difficult and undesirable? > > Preventing name resolution is virtually impossible, since Windows nodes > not only try to perform such resolution with DNS, but also with LLMNR. > In order to block the latter, you should be able to achieve such > filtering at layer 2 -- and that would be a bit onerous (not to mention > how difficult that would be if fragmentation is employed).
Nodes that send RAs in response to LLMNR queries for ISATAP when they shouldn't are rogue IPv6 "routers" that have somehow gained access to what should be a protected link. The concern is no different than for any rogue IPv6 router that gains access to an ordinary link. In the case of ISATAP, the router can be located by its IPv4 address. For ordinary routers, the router can be located by its MAC address. The mitigations for the attack profile are the same in either case. Thanks - Fred [email protected] > Since you never know what the isata domain names may resolve to, it's > essentially impossible to block isatap packets based on a specific > destination address (you'd need to know such address in advance in order > to create the ACL). > > Please do let me know if this clarification has been of any help. > > Thanks, > -- > Fernando Gont > SI6 Networks > e-mail: [email protected] > PGP Fingerprint: 6666 31C6 D484 63B2 8FB1 E3C4 AE25 0D55 1D4E 7492 > > > _______________________________________________ OPSEC mailing list [email protected] https://www.ietf.org/mailman/listinfo/opsec
