On Thu, 13 Dec 2001, Kristof Verhenne wrote: > Wouter Van Hemel wrote: > > Normally, hosts don't accept ip packets to their ports that are not send > > to one of the ip's assigned to their interfaces. If you make sure the > > router doesn't somehow send ipv6 packets through the NAT (I don't think > > that's possible already, ipv6 through NAT...), then ipv6 addresses stay > > ipv6 addresses, and hosts that do not support ipv6 addresses on your > > internal network can't receive these packages. > > I wonder how that NAT would work. How would you ever be able to reach > an IPv4-only host with an IPv6-only host? The IPv6-NAT-router could map > services to an IPv4-net-host and use his adress as destination, but I > wonder if this is yet possible? >
That depends on your choice of NAT-implementation, I don't know by heart which OS supports NAT. I don't think ipf and ipfw do. You should look that up in the documentation of your specific NAT/firewall implementation, probably that functionality is being tested/implemented, and didn't reach a state suitable for production use yet. > > The hosts that DO have an ipv6 address, are vulnerable to potential > > exploits. Make sure that daemons only run on ipv4 addresses, i.e. don't > > allow them to bind to all ips on all interfaces, like most of them do; > > otherwise, those daemons _can_ be reached with the globally routable ipv6 > > address, and exploited. > > Suppose there are some hosts with IPv6-adresses but not configured, than > the only way to reach them is by link-localadressing? If no ip's are configured to be used by the nics (startup-scripts), the host won't have any ip's (others: correct me please); you don't have a route advertisement daemon running, so I guess no OS will just make up an ip in it's boot-scripts. > On the interface > to the IPv4-net there's no router advertisment daemon. btw, how can I > know if there are some IPv6-enabled hosts on a network? Is there some > kind of broadcast ping? > You could use a network 'sniffer' - all ethical considerations aside, you're sniffing transport, not contents - like snort, netwatch, ethereal (I don't know about ipv6 support, but they will at least recognise the packets as being ipv6). Another way is checking (logging, maybe) router throughput - which requires access to the router; and yet another method, so simple people often forget it, is communication with other people. :) I'm sure the one responable for the subnet has an idea what lives in it... All of which does not matter it you decide to tunnel ipv6 in ipv4 the whole way, i.e. one tunnel's end is your server itself. > > But, IMHO (I'm not really that big a security-expert), if you make sure no > > ipv4 machines support ipv6 connections (be careful with default kernels > > that might come with ipv6 support...), you are reasonably safe. > > > > And take care of having all daemons safe against buffer overflows and test > > cgi's and the whole blurb - you know that undoubtedly - ipv6 isn't a > > security issue in itself, ofcourse. > > > I'll put an IPv6-firewall some day, when I'm not loaded with other > projects :p > Hmm... *biting lower lip*... :) I think many firewall solutions don't have adequate support for ipv6 yet, i.e. ofcourse they recognise ipv6 protocols, but don't really filter yet because they don't analyse the packets. The last time I checked (some time ago), ipf didn't have ipv6 support in openbsd... someone more info on this? There were some problems between the author of ipf and the openbsd team, I've heard... Kind regards, wouter --------------------------------------------------------------------- The IPv6 Users Mailing List Unsubscribe by sending "unsubscribe users" to [EMAIL PROTECTED]
