RE: (ngtrans) Security and use of SIIT and NAT-PT [IPv4 and MIPv6 Transition]
"Hesham Soliman (EPA)" <Hesham.Soliman@ericsson.com.au> Fri, 26 October 2001 02:10 UTC
Received: from patan.sun.com (patan.Sun.COM [192.18.98.43]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id WAA05659 for <ngtrans-archive@odin.ietf.org>; Thu, 25 Oct 2001 22:10:56 -0400 (EDT)
Received: from engmail2.Eng.Sun.COM ([129.146.1.25]) by patan.sun.com (8.9.3+Sun/8.9.3) with ESMTP id UAA24104; Thu, 25 Oct 2001 20:01:38 -0600 (MDT)
Received: from sunroof.eng.sun.com (sunroof.Eng.Sun.COM [129.146.168.88]) by engmail2.Eng.Sun.COM (8.9.3+Sun/8.9.3/ENSMAIL,v2.1p1) with ESMTP id TAA17225; Thu, 25 Oct 2001 19:01:29 -0700 (PDT)
Received: from sunroof.eng.sun.com (localhost [127.0.0.1]) by sunroof.eng.sun.com (8.12.2.Beta0+Sun/8.12.2.Beta0) with ESMTP id f9Q20h6C023653 for <ngtrans-dist@sunroof.eng.sun.com>; Thu, 25 Oct 2001 19:00:43 -0700 (PDT)
Received: (from majordomo@localhost) by sunroof.eng.sun.com (8.12.2.Beta0+Sun/8.12.2.Beta0/Submit) id f9Q20h06023652 for ngtrans-dist; Thu, 25 Oct 2001 19:00:43 -0700 (PDT)
X-Authentication-Warning: sunroof.eng.sun.com: majordomo set sender to owner-ngtrans@sunroof.eng.sun.com using -f
Received: from engmail1.Eng.Sun.COM (engmail1 [129.146.1.13]) by sunroof.eng.sun.com (8.12.2.Beta0+Sun/8.12.2.Beta0) with ESMTP id f9Q20e6C023645 for <ngtrans@sunroof.eng.sun.com>; Thu, 25 Oct 2001 19:00:40 -0700 (PDT)
Received: from venus.sun.com (venus.EBay.Sun.COM [129.150.69.5]) by engmail1.Eng.Sun.COM (8.9.3+Sun/8.9.3/ENSMAIL, v2.1p1) with ESMTP id TAA14530 for <ngtrans@sunroof.eng.sun.com>; Thu, 25 Oct 2001 19:00:42 -0700 (PDT)
Received: from newish7.ericsson.com.au (newish7.ericsson.com.au [203.61.155.116]) by venus.sun.com (8.9.3+Sun/8.9.3) with ESMTP id TAA02635 for <ngtrans@sunroof.eng.sun.com>; Thu, 25 Oct 2001 19:00:37 -0700 (PDT)
Received: from brsf10.epa.ericsson.se (igw2.ericsson.com.au [203.61.155.10]) by newish7.ericsson.com.au (8.9.3+Sun/8.9.3) with ESMTP id LAA22322 for <ngtrans@sunroof.eng.sun.com>; Fri, 26 Oct 2001 11:59:26 +1000 (EST)
Received: from eaubrnt019.epa.ericsson.se (eaubrnt019.epa.ericsson.se [146.11.9.165]) by brsf10.epa.ericsson.se (8.9.3+Sun/8.9.3) with ESMTP id MAA19108 for <ngtrans@sunroof.eng.sun.com>; Fri, 26 Oct 2001 12:00:36 +1000 (EST)
Received: by eaubrnt019.epa.ericsson.se with Internet Mail Service (5.5.2653.19) id <VGPNLPGA>; Fri, 26 Oct 2001 12:00:35 +1000
Message-ID: <4B6BC00CD15FD2119E5F0008C7A419A51308EDED@eaubrnt018.epa.ericsson.se>
From: "Hesham Soliman (EPA)" <Hesham.Soliman@ericsson.com.au>
To: 'Pekka Savola' <pekkas@netcore.fi>, ngtrans@sunroof.eng.sun.com
Subject: RE: (ngtrans) Security and use of SIIT and NAT-PT [IPv4 and MIPv6 Transition]
Date: Fri, 26 Oct 2001 12:00:32 +1000
MIME-Version: 1.0
X-Mailer: Internet Mail Service (5.5.2653.19)
Content-Type: text/plain
Sender: owner-ngtrans@sunroof.eng.sun.com
Precedence: bulk
Reply-To: "Hesham Soliman (EPA)" <Hesham.Soliman@ericsson.com.au>
> I'll post this primary on ngtrans. If there are further comments I think > mobile-ip can be safely removed. > > > > > > There is another draft you can find at: > > > > > http://standards.ericsson.net/hesham/draft-ietf-ngtrans-siit-dstm-00.txt > > > > > > > > It's a WG draft in NGTRANS but it expired and I'll > > > > resubmit it after adding some of the comments received. > > > > > > SIIT is regarded by many to be an abomination (redefining internal > > > structure like mapped-addresses) from security point-of-view among > others. > > > > > > It can probably solve some problems efficiently though, or else it > > > wouldn't have been introduced. :-) > > > > > => Well SIIT is a translation algorithm, used by NAT-PT and > > this draft. It certainly does solve problems, like translating > > packets. > > There is a significant difference with SIIT and NAT-PT algorithm. NAT-PT > does not use mapped addresses when signifying an IPv4 node. > > Putting mapped addresses as source/destination addresses is evil; think of > (ab)using these against dual-stacked nodes. > => You mean translated addresses as a src address. Mapped addresses are dst addresses. "Evil" is a bit difficult to understand. > E.g.: IPv4 firewall would block packets from source 1.2.3.4, but the > packet gets through via IPv6 transport with src address ::ffff:1.2.3.4, > => Err, reconfigure the firewall ! Anyway, I must ask if you've read the draft, because the proposed solution is hardly expected to allow these addresses to go through firewalls. If I missed something in the draft please let me know. > and the destination will falsely believe that it originated from IPv4 > source 1.2.3.4. > => I think this is a very straight forward implementation issue, unless I'm mising something. If you can check on 1.2.3.4 you can certainly check on ::ffff:1.2.3.4. > > > But it should be kept in mind that it, alone, cannot be relied on to > be > > > sufficient for (M)IPv4 -> (M)IPv6 transition. > > > > > => Can you elaborate a bit ? This draft is done for allowing > > IPv4-only nodes to communicate with IPv6-only nodes. > > MIP is one aspect of this communication. > > The draft doesn't say that this is the only way to do it, > > although in fact, for this scenario, it is the only way I know > > of that allows for mobility support. > > Perhaps I didn't say it clearly; _IMO_, SIIT is not fit to be a > wide-spread translation mechanism for IPv6-only nodes. NAT-PT seems much > better. I tried to avoid getting MIP mixed into this. > => Of course NAT-PT works, but much better for what ? Clearly there are different use scenarios here, to name some: - How many IPv4 addreses does a domain have ? - Is e2e IP layer encryption needed ? - Is mobility support needed ? - Redundancy ? - more .... I wouldn't say it's better, it depends on the scenario you're looking into. Cheers, Hesham > -- > Pekka Savola "Tell me of difficulties surmounted, > Netcore Oy not those you stumble over and fall" > Systems. Networks. Security. -- Robert Jordan: A Crown of Swords
- RE: (ngtrans) Security and use of SIIT and NAT-PT… Hesham Soliman (EPA)
- RE: (ngtrans) Security and use of SIIT and NAT-PT… Pekka Savola