(ngtrans) Security and use of SIIT and NAT-PT [IPv4 and MIPv6 Transition]
Pekka Savola <pekkas@netcore.fi> Thu, 25 October 2001 12:55 UTC
Received: from patan.sun.com (patan.Sun.COM [192.18.98.43]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id IAA17148 for <ngtrans-archive@odin.ietf.org>; Thu, 25 Oct 2001 08:55:16 -0400 (EDT)
Received: from engmail4.Eng.Sun.COM ([129.144.134.6]) by patan.sun.com (8.9.3+Sun/8.9.3) with ESMTP id GAA28961; Thu, 25 Oct 2001 06:53:44 -0600 (MDT)
Received: from sunroof.eng.sun.com (sunroof.Eng.Sun.COM [129.146.168.88]) by engmail4.Eng.Sun.COM (8.9.3+Sun/8.9.3/ENSMAIL,v2.1p1) with ESMTP id FAA08522; Thu, 25 Oct 2001 05:53:24 -0700 (PDT)
Received: from sunroof.eng.sun.com (localhost [127.0.0.1]) by sunroof.eng.sun.com (8.12.2.Beta0+Sun/8.12.2.Beta0) with ESMTP id f9PCqn6C020840 for <ngtrans-dist@sunroof.eng.sun.com>; Thu, 25 Oct 2001 05:52:49 -0700 (PDT)
Received: (from majordomo@localhost) by sunroof.eng.sun.com (8.12.2.Beta0+Sun/8.12.2.Beta0/Submit) id f9PCqnEA020839 for ngtrans-dist; Thu, 25 Oct 2001 05:52:49 -0700 (PDT)
X-Authentication-Warning: sunroof.eng.sun.com: majordomo set sender to owner-ngtrans@sunroof.eng.sun.com using -f
Received: from engmail1.Eng.Sun.COM (engmail1 [129.146.1.13]) by sunroof.eng.sun.com (8.12.2.Beta0+Sun/8.12.2.Beta0) with ESMTP id f9PCqk6C020832; Thu, 25 Oct 2001 05:52:46 -0700 (PDT)
Received: from patan.sun.com (patan.Central.Sun.COM [129.147.5.43]) by engmail1.Eng.Sun.COM (8.9.3+Sun/8.9.3/ENSMAIL,v2.1p1) with ESMTP id FAA18019; Thu, 25 Oct 2001 05:52:49 -0700 (PDT)
Received: from netcore.fi (netcore.fi [193.94.160.1]) by patan.sun.com (8.9.3+Sun/8.9.3) with ESMTP id GAA28343; Thu, 25 Oct 2001 06:52:47 -0600 (MDT)
Received: from localhost (pekkas@localhost) by netcore.fi (8.11.6/8.11.6) with ESMTP id f9PCqkK19944; Thu, 25 Oct 2001 15:52:46 +0300
Date: Thu, 25 Oct 2001 15:52:46 +0300
From: Pekka Savola <pekkas@netcore.fi>
To: ngtrans@sunroof.eng.sun.com
cc: "'mobile-ip@sunroof.eng.sun.com'" <mobile-ip@sunroof.eng.sun.com>
Subject: (ngtrans) Security and use of SIIT and NAT-PT [IPv4 and MIPv6 Transition]
In-Reply-To: <4B6BC00CD15FD2119E5F0008C7A419A51308EDE6@eaubrnt018.epa.ericsson.se>
Message-ID: <Pine.LNX.4.33.0110251528520.19785-100000@netcore.fi>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset="US-ASCII"
Sender: owner-ngtrans@sunroof.eng.sun.com
Precedence: bulk
Reply-To: Pekka Savola <pekkas@netcore.fi>
I'll post this primary on ngtrans. If there are further comments I think mobile-ip can be safely removed. On Thu, 25 Oct 2001, Hesham Soliman (EPA) wrote: > > Perhaps I shouldn't comment on this, but anyway... > > > => Why not ! Partly ideological debate, better held in ngtrans anyway :-) > > > There is another draft you can find at: > > > http://standards.ericsson.net/hesham/draft-ietf-ngtrans-siit-dstm-00.txt > > > > > > It's a WG draft in NGTRANS but it expired and I'll > > > resubmit it after adding some of the comments received. > > > > SIIT is regarded by many to be an abomination (redefining internal > > structure like mapped-addresses) from security point-of-view among others. > > > > It can probably solve some problems efficiently though, or else it > > wouldn't have been introduced. :-) > > > => Well SIIT is a translation algorithm, used by NAT-PT and > this draft. It certainly does solve problems, like translating > packets. There is a significant difference with SIIT and NAT-PT algorithm. NAT-PT does not use mapped addresses when signifying an IPv4 node. Putting mapped addresses as source/destination addresses is evil; think of (ab)using these against dual-stacked nodes. E.g.: IPv4 firewall would block packets from source 1.2.3.4, but the packet gets through via IPv6 transport with src address ::ffff:1.2.3.4, and the destination will falsely believe that it originated from IPv4 source 1.2.3.4. This would open some new IPv6 <-> IPv4 reflector attacks, too, I believe. > > But it should be kept in mind that it, alone, cannot be relied on to be > > sufficient for (M)IPv4 -> (M)IPv6 transition. > > > => Can you elaborate a bit ? This draft is done for allowing > IPv4-only nodes to communicate with IPv6-only nodes. > MIP is one aspect of this communication. > The draft doesn't say that this is the only way to do it, > although in fact, for this scenario, it is the only way I know > of that allows for mobility support. Perhaps I didn't say it clearly; _IMO_, SIIT is not fit to be a wide-spread translation mechanism for IPv6-only nodes. NAT-PT seems much better. I tried to avoid getting MIP mixed into this. -- Pekka Savola "Tell me of difficulties surmounted, Netcore Oy not those you stumble over and fall" Systems. Networks. Security. -- Robert Jordan: A Crown of Swords
- (ngtrans) Security and use of SIIT and NAT-PT [IP… Pekka Savola