|
There are four addresses in a 6to4 packet:
In the IPv4 envelope: IPv4 source, IPv4 destination. In the IPv6 header: IPv6 source, IPv6 destination.
The tests vary depending on whether the receiving router is a “6to4 relay” or a plain “6to4 router”.
A 6to4 relay is a public service that relays 6to4 packets to the global Internet. The following test should be applied:
1) The IPv4 destination should be a relay address advertised by the router, normally the anycast address 192.88.99.1; If test 1 is not true, i.e. if the IPv4 address is “another” IPv4 destination advertised by the relay, then the “6to4 router” tests should be applied. 2) If the IPv4 destination is the relay address, then the IPv6 source should be a 6to4 address (start with 2002::/16), and the IPv4 address embedded in that source address should be the same as the IPv4 source. (But see final remark.) 3) The source IPv4 address must be a valid unicast address, i.e. not multicast, not RFC 1918, not zeroconf, not 0/8, not 127/8.
A 6to4 router serves a local IPv6 network; the hosts in this network will have IPv6 address starting with the /48 6to4 prefix “2002:XXXX:YYYY”, where XXXX:YYYY is a global IPv4 address assigned to the router. The router may receive packets bound to that IPv6 network. The only test that can be applied is:
4) The destination IPv6 address should start with the 6to4 prefix “2002:XXXX:YYYY”, i.e. the router should not accept packets bound for another destination.
The reason for that is, any dual stack router that sees a packet bound to a 2002::/16 prefix is supposed to just encapsulate it in IPv4 and ship it to the 6to4 router. Thus, there is no way to check any kind of tying between the IPv4 source address and the IPv6 source address. The only additional test that might be applied is:
5) If the source IPv6 address is a 6to4 address, then the IPv4 source address should match the address embedded in the 6to4 prefix. (But see final remark.)
On the sending path, all 6to4 routers, or all IPv6 routers sending packet to a 6to4 router, should verify that the destination IPv4 is global, i.e.
6) The destination IPv4 address must be a valid unicast address, i.e. not multicast, not RFC 1918, not zeroconf, not 0/8, not 127/8.
You must be conscious that all these tests have a limited value. It is not terribly hard for a hacker to forge an IPv4 source address – many ISP do not perform ingress filtering. The risk of making the tests too strict is that you will reject valid packets that happen to be routed by an alternate path, e.g. from a site with 2 exit 6to4 routers – this means that tests 2 and 5 can fail with arguably valid traffic; at the same time, the tests will not block a determined hacker. My personal recommendation is to follow Jon Postel’s robustness principle, i.e. “be conservative in what you send, be liberal in what you receive.” I would only perform tests 1, 3 and 6 in a relay, and tests 4 and 6 in a router.
By the way, the proper discussion forum for 6to4 is the IETF V6OPS working group.
-- Christian Huitema
-----Original Message-----
Is there a way to verify IPv6 address given an IPv4 source address (e.g. inside a 6to4 embedded packet)?
Do you Yahoo!? |