Re: But are we talking IPv6 only? That's how I read the draft. (Re: Some suggestions for draft-ietf-v6ops-cpe-simple-security-03)

[Mark Smith <ipng@69706e6720323030352d30312d31340a.nosense.org>]

Hi James,

On Wed, 27 Aug 2008 12:12:28 -0700
james woodyatt <jhw@apple.com> wrote:

> On Aug 27, 2008, at 03:17, Mark Smith wrote:
> > * Native IPv6 CPE security, plus IPv4 security/functionality
> > requirements to support IPv6 transition via IPv4 tunnelling
> 
> It was my understanding that this is the proper scope, not the  
> alternatives you mentioned.
> 

In that case, I'd still strongly suggest limiting the IPv6 in IPv6
tunnel support to authenticated protocols only. Bypassing the CPE
security using a linux box (or anything else that supports end-user
manually configured tunnels, on which the user has admin priviledges)
will be as simple as something like this (syntax probably not right ,
but that's because I've got a few minutes before I need to get ready for
work):

# ip -6 tunnel add v6cpe-bypass  remote 2001:<public node address>
# nmap -e v6cpe-bypass

As I understand the current draft, this would completely bypass any and
all of the IPv6 security mechanisms in the device - and because it's so
easy to do, anybody who wants to make an attempt at attacking an
end-node will do so this way. Only permitting inbound authenticated
tunneling protocols like IPsec, l2tp or pptp would easily defeat that.

Regards,
Mark.