Re: [v6ops] [OPSEC] 3 Volunteers wanted - Draft: draft-gont-opsec-ipv6-implications-on-ipv4-nets

Philipp Kern <phil@philkern.de> Fri, 17 August 2012 16:53 UTC

Date: Fri, 17 Aug 2012 18:53:29 +0200
From: Philipp Kern <phil@philkern.de>
To: v6ops@ietf.org
Message-ID: <20120817165329.GA7568@spike.0x539.de>
References: <67832B1175062E48926BF3CB27C49B240674C2@xmb-aln-x12.cisco.com> <97EB7536A2B2C549846804BBF3FD47E10C3A2A@xmb-aln-x02.cisco.com> <001f01cd7a4e$d05c7390$71155ab0$@asgard.org> <EDA14A02-F441-44AA-B54A-FE0FE8C8C5B8@kumari.net> <20120817001116.AA2D123ABFA7@drugs.dv.isc.org> <000001cd7c8b$2fb8a1e0$8f29e5a0$@asgard.org>
MIME-Version: 1.0
Content-Type: multipart/signed; micalg="pgp-sha256"; protocol="application/pgp-signature"; boundary="6TrnltStXW4iwmi0"
Content-Disposition: inline
In-Reply-To: <000001cd7c8b$2fb8a1e0$8f29e5a0$@asgard.org>
User-Agent: Mutt/1.5.21 (2010-09-15)
Subject: Re: [v6ops] [OPSEC] 3 Volunteers wanted - Draft: draft-gont-opsec-ipv6-implications-on-ipv4-nets
Precedence: list

Lee,

am Fri, Aug 17, 2012 at 11:15:49AM -0400 hast du folgendes geschrieben:
> Finally,
>    some transition/co-existence mechanisms (notably Teredo) are designed
>    to traverse Network Address Translators (NATs), which in many
>    deployments provide a minimum level of protection by only allowing
>    those instances of communication that have been initiated from the
>    internal network.  Thus, these mechanisms might cause an internal
>    host with otherwise limited IPv4 connectivity to become globally
>    reachable over IPv6, therefore resulting in increased (and possibly
>    unexpected) host exposure.  That is, the aforementioned technologies
>    might inadvertently allow incoming IPv6 connections from the Internet
>    to hosts behind the organizational firewall.

and how is that different from obtaining a global IPv4 through a VPN connection
to the outside? If you allow the UDP communication to the Teredo relays, you're
probably not stopping such VPNing neither. The lesson being that you need to
know what passes your organizational firewall and whitelist if you care about
that. But then I guess your point is that such tunnels are automatic and not
necessarily user-initiated. But that's an implementation detail with one
vendor's implementation… \:

Kind regards
Philipp Kern

Attachment: signature.asc

[v6ops] 3 Volunteers wanted - Draft: draft-gont-o… Gunter Van de Velde (gvandeve)
Re: [v6ops] [OPSEC] 3 Volunteers wanted - Draft: … Gunter Van de Velde (gvandeve)
Re: [v6ops] [OPSEC] 3 Volunteers wanted - Draft: … Smith, Donald
Re: [v6ops] [OPSEC] 3 Volunteers wanted - Draft: … Lee Howard
Re: [v6ops] [OPSEC] 3 Volunteers wanted - Draft: … Eric Vyncke (evyncke)
Re: [v6ops] [OPSEC] 3 Volunteers wanted - Draft: … Fernando Gont
Re: [v6ops] [OPSEC] 3 Volunteers wanted - Draft: … Smith, Donald
Re: [v6ops] [OPSEC] 3 Volunteers wanted - Draft: … Fernando Gont
Re: [v6ops] [OPSEC] 3 Volunteers wanted - Draft: … Smith, Donald
Re: [v6ops] [OPSEC] 3 Volunteers wanted - Draft: … Fernando Gont
Re: [v6ops] [OPSEC] 3 Volunteers wanted - Draft: … Eric Vyncke (evyncke)
Re: [v6ops] [OPSEC] 3 Volunteers wanted - Draft: … Smith, Donald
Re: [v6ops] [OPSEC] 3 Volunteers wanted - Draft: … Fernando Gont
Re: [v6ops] [OPSEC] 3 Volunteers wanted - Draft: … Warren Kumari
Re: [v6ops] [OPSEC] 3 Volunteers wanted - Draft: … Mark Andrews
Re: [v6ops] [OPSEC] 3 Volunteers wanted - Draft: … Carlos M. martinez
Re: [v6ops] [OPSEC] 3 Volunteers wanted - Draft: … Lee Howard
Re: [v6ops] [OPSEC] 3 Volunteers wanted - Draft: … Philipp Kern
Re: [v6ops] [OPSEC] 3 Volunteers wanted - Draft: … Jeroen Massar
Re: [v6ops] [OPSEC] 3 Volunteers wanted - Draft: … Warren Kumari

Re: [v6ops] [OPSEC] 3 Volunteers wanted - Draft: draft-gont-opsec-ipv6-implications-on-ipv4-nets

Attachment: signature.asc