Re: IPv4 mapped address considered harmful

From: Peter J. Holzer (hjpat_private)
Date: Fri Aug 23 2002 - 00:54:56 PDT

Next message: Brian Taylor: "IE bug not fixed - update"

Previous message: Kyle Duren: "Yahoo Messenger Install Secuirty"
In reply to: Jun-ichiro itojun Hagino: "IPv4 mapped address considered harmful"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On 2002-08-23 01:18:40 +0900, Jun-ichiro itojun Hagino wrote:
> 2.  Threats due to the use of IPv4 mapped address on wire
> 
> When userland application on top of AF_INET6 API sees peers with IPv4
> mapped addresses (like by getpeername(2) or recvfrom(2)), it cannot
> detect if the packet actually was IPv4 (IPv4 mapped address appeared due
> to basic API behavior) or IPv6 (SIIT behavior).

I don't think it should care.


> This ambiguity creates chances to malicious party to trick victim nodes.
> Here are a couple of examples:
> 
> o By transmitting IPv6 packet with ::ffff:127.0.0.1 in IPv6 source
>   address field, applications that assume basic API behavior will be
>   tricked to believe that the packet is from the node itself (IPv4
>   loopback address, 127.0.0.1).
> 
> o By transmitting IPv6 packet to firewall device, with IPv4 mapped
>   address corresponds to address inside the firewall (like
>   ::ffff:10.1.1.1) as the IPv6 source address, malicious party could
>   bypass IPv4 filtering rules and inject traffic inside the firewall.
> 
> o Assume that the victim node is an IPv4/v6 dual stack node.  By
>   transmitting IPv6 packet with IPv4 mapped address corresponds to IPv4
>   broadcast address (::ffff:10.255.255.255) in IPv6 source address
>   field, to TCP/UDP port that swaps IPv6 source and destination address
>   (e.g. UDP port 53, DNS), malicious node can trick the victim node to
>   generate improper IPv4 broadcast traffic; This is because basic API on
>   the victim node will emit transmission requests to destination IPv4
>   mapped address, ::ffff:10.255.255.255, into IPv4 traffic.

How are these examples more dangerous with IPv6 than with plain IPv4?
You can just send those packets as plain IPv4 packets and get exactly
the same effect. Also the remedy in all three cases is the same: Reverse
path filtering in the first two cases, not setting SO_BROADCAST in the
last (or filtering of martians in the kernel).

I agree that some people will underestimate the complexity of supporting
both IPv4 and IPv6 and therefore make errors which they wouldn't have
made with IPv4 only, but your examples don't seem to be especially
illustrative.

	hp

-- 
   _  | Peter J. Holzer      | Aeltere Sources (also solche, die schon
|_|_) | Sysadmin WSR / LUGA  | aelter als 12 Stunden sind) sollte man
| |   | hjpat_private        | bei Linux generell nicht einsetzen -
__/   | http://www.hjp.at/   | Real Time Linux??    -- Gerhard Schneider

application/pgp-signature attachment: stored

Next message: Brian Taylor: "IE bug not fixed - update"
Previous message: Kyle Duren: "Yahoo Messenger Install Secuirty"
In reply to: Jun-ichiro itojun Hagino: "IPv4 mapped address considered harmful"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Tue Aug 27 2002 - 11:55:52 PDT