Thank you very much for your prompt response. On Fri, 23 Aug 2002 itojun@iijlab.net wrote: > >> IPv4 mapped address considered harmful > >> draft-itojun-v6ops-v4mapped-harmful-00.txt [snip] > >No change to the IPv6 protocol or network stacks is required, one only > >needs to maintain existing best practices by using simple packet filtering > >devices. > > did i suggest removing firewalls from your network? i don't think so. > yes, if you install a firewall rule which drops ::ffff:0:0/96, you can > remedy the problem (to some degree). however, given that there are > protocol proposals that make use of IPv4 mapped address on wire, you > will become incompatible with those proposals. It would be nice if IPv6 firewalling products would auto-generate rules for the ::ffff:0:0/96 netblock based on your preexisting IPv4 rules, as otherwise you will have to recreate them by hand, introducing errors. That I think we agree on. I don't think it will be necessary to filter out the entire ::ffff:0:0/96 netblock, making yourself incompatable with IPv4-in-IPv6 addressing though. > > changes to protocol/network stack is required as firewall does not > remedy all of the problems presented in the draft (only some of them). > True, maybe I'm dense but I still don't see how the remaining problems are any different than current issues with IPv4 networks. I can see how applications could make filtering a bit more difficult if the admin has to replicate all their filters (introducing errors) for both IPv4 and IPv4-in-IPv6 networks (filter out both 127.0.0.1 source and ::ffff:127.0.0.1) but this shouldn't be an issue if the OS makes the IPv4 address available to the application instead of the full IPv6 address. Maybe we actually agree on the technical issues, but are having a symantic argument. I don't see the difference in risk or resolution measures between the way things currently work, and the way they would work on an IPv6 network (although I'm no IPv6 expert so I may be misunderstanding things). I do think it is a good idea to bring this up as many admins could easilly forget about IPv4-in-IPv6 addressing and fail to take it into account when designing their security infrastructure. -- Mark Tinberg <MTinberg@securepipe.com> Network Security Engineer, SecurePipe Inc. Remember: Wherever you go, there you are! Key fingerprint = AF6B 0294 EE33 D802 F7A1 38A4 CF52 5FE0 7470 E5F7 Your daily fortune . . . The Commandments of the EE: (7) Work thou not on energized equipment for if thou doest so, thy friends will surely be buying beers for thy widow and consoling her in certain ways not generally acceptable to thee.
