On Thu, 13 Dec 2001, Kristof Verhenne wrote: > I've got a host on a network, and all IPv6 traffic is not filtered to > that host, but the IPv4 traffic is filtered. It's the only host > speeking IPv6 on the network. > That host is now acting as IPv6 router and IPv4(NAT) router. Is it > possible to gain IPv4-privileges on the network by routing through IPv6 > to that most and make it translate to IPv4? > > host A(10.1.1.1)-------| > router(v6 and v4) -- ipv4 subnet -- IPv4 firewall > ---- internet > host B(10.1.2.1)-------| > > Through tunneling my router is reachable. > > My sysadmin is somewhat concerned and I suppose there must be a > possibility to infiltrate that way, but I don't know how. > Because I can imagine, in the future; when there will be hosts that only > speak IPv6; and if they want to reach a host that only speaks IPv4 there > must be a way. At this time I've disabled the IPv4 routing. >
Normally, hosts don't accept ip packets to their ports that are not send to one of the ip's assigned to their interfaces. If you make sure the router doesn't somehow send ipv6 packets through the NAT (I don't think that's possible already, ipv6 through NAT...), then ipv6 addresses stay ipv6 addresses, and hosts that do not support ipv6 addresses on your internal network can't receive these packages. The hosts that DO have an ipv6 address, are vulnerable to potential exploits. Make sure that daemons only run on ipv4 addresses, i.e. don't allow them to bind to all ips on all interfaces, like most of them do; otherwise, those daemons _can_ be reached with the globally routable ipv6 address, and exploited. But, IMHO (I'm not really that big a security-expert), if you make sure no ipv4 machines support ipv6 connections (be careful with default kernels that might come with ipv6 support...), you are reasonably safe. And take care of having all daemons safe against buffer overflows and test cgi's and the whole blurb - you know that undoubtedly - ipv6 isn't a security issue in itself, ofcourse. Kind regards, wouter -- Wouter Van Hemel <[EMAIL PROTECTED]> icq 21227038 // --------------------------------------------------------------------- The IPv6 Users Mailing List Unsubscribe by sending "unsubscribe users" to [EMAIL PROTECTED]
