[secdir] Review of draft-ietf-behave-v6v4-xlate-20

Tero Kivinen <kivinen@iki.fi> Fri, 11 June 2010 12:05 UTC

Return-Path: <kivinen@iki.fi>
X-Original-To: secdir@core3.amsl.com
Delivered-To: secdir@core3.amsl.com
Received: from localhost (localhost []) by core3.amsl.com (Postfix) with ESMTP id 065E23A6817; Fri, 11 Jun 2010 05:05:58 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.001
X-Spam-Status: No, score=0.001 tagged_above=-999 required=5 tests=[BAYES_50=0.001]
Received: from mail.ietf.org ([]) by localhost (core3.amsl.com []) (amavisd-new, port 10024) with ESMTP id yws1F4af4Hji; Fri, 11 Jun 2010 05:05:56 -0700 (PDT)
Received: from mail.kivinen.iki.fi (fireball.acr.fi []) by core3.amsl.com (Postfix) with ESMTP id F2A933A68C6; Fri, 11 Jun 2010 05:05:55 -0700 (PDT)
Received: from fireball.kivinen.iki.fi (localhost []) by mail.kivinen.iki.fi (8.14.3/8.14.3) with ESMTP id o5BC5rq8013386 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Fri, 11 Jun 2010 15:05:53 +0300 (EEST)
Received: (from kivinen@localhost) by fireball.kivinen.iki.fi (8.14.3/8.12.11) id o5BC5qmo003388; Fri, 11 Jun 2010 15:05:52 +0300 (EEST)
X-Authentication-Warning: fireball.kivinen.iki.fi: kivinen set sender to kivinen@iki.fi using -f
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Message-ID: <19474.9888.922292.408395@fireball.kivinen.iki.fi>
Date: Fri, 11 Jun 2010 15:05:52 +0300
From: Tero Kivinen <kivinen@iki.fi>
To: iesg@ietf.org, secdir@ietf.org
X-Mailer: VM 7.19 under Emacs 21.4.1
X-Edit-Time: 22 min
X-Total-Time: 32 min
Cc: draft-ietf-behave-v6v4-xlate.all@tools.ietf.org
Subject: [secdir] Review of draft-ietf-behave-v6v4-xlate-20
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 11 Jun 2010 12:05:58 -0000

I have reviewed this document as part of the security directorate's 
ongoing effort to review all IETF documents being processed by the 
IESG.  These comments were written primarily for the benefit of the 
security area directors.  Document editors and WG chairs should treat 
these comments just like any other last call comments.

This document describes the translation algorithm between ipv6 and
ipv4. The security considerations section say:

   The use of stateless IP/ICMP translators does not introduce any new
   security issues beyond the security issues that are already present
   in the IPv4 and IPv6 protocols and in the routing protocols that are
   used to make the packets reach the translator.

   There are potential issues that might arise by deriving an IPv4
   address from an IPv6 address - particularly addresses like broadcast
   or loopback addresses and the non IPv4-translatable IPv6 addresses,
   etc.  The [I-D.ietf-behave-address-format] addresses these issues.

This text is fine but the next paragraph describing the AH is bit

   As the Authentication Header [RFC4302] is specified to include the
   IPv4 Identification field and the translating function is not able to
   always preserve the Identification field, it is not possible for an
   IPv6 endpoint to verify the AH on received packets that have been
   translated from IPv4 packets.  Thus AH does not work through a

The Authentication Header includes also the addresses etc in the ICV
thus it is not only the IPv4 Identification field that causes problems
also the changing the IPv4 address to IPv6 addresses and vice versa,
changing the IP version field, payload length etc makes AH
incompatible with this translation.

If the text was supposed to say that some implementation which knows
both AH and this translation could be made to know that this packet
has gone through this translation and could then check the ICV by
reversing the translation before checking the ICV, then this text
should more clearly say that.

I.e instead of saying that endpoing cannot verify AH and that AH does
not work (standard AH as defined in RFC4302 will always fail the
verification), it should be said that it is not possible to make
specification which specifies how AH should be modified to understand
this translation and even then it would be impossible to completely
reverse translation as some information (like parts of the
Identification field) is not available. I also think that in addition
to the Identification field the translation is loosing information
about the IP extensions.

The last paragraph of security considerations section talks about ESP:

   Packets with ESP can be translated since ESP does not depend on
   header fields prior to the ESP header.  Note that ESP transport mode
   is easier to handle than ESP tunnel mode; in order to use ESP tunnel
   mode, the IPv6 node MUST be able to generate an inner IPv4 header
   when transmitting packets and remove such an IPv4 header when
   receiving packets.

Even with ESP there is complications, as in transport mode the
transport layer protocols inside the ESP do contain checksums which
cannot be modified by the translator, thus they will keep the original
IP addresses in there, and if the translation is not checksum neutral
then end node will throw away the packet after ESP processing as the
transport layer checksums are incorrect.

For tunnel mode the transport layer protocol checksums contains the
inner IP header thus they are ok.

Actually for ESP the situation is even more different, as the IPsec
will detect this kind of translation as NAT along the path, and will
enable NAT-Traversal, meaning ESP packets will get UDP encapsulated,
and the IPsec itself will do the checksum fixup as specified in the

On the other hand I do not know how many existing implementations know
how to handle checksum fixup when changing from IPv4 address to IPv6
address or other way around, altough some of them do full checksum
recalculation (or simply skip the transport layer checksum checking)
anyways so they might work.