Login | Register For Free | Help
Search for: (Advanced)

Mailing List Archive: nsp: ipv6

ip6tables and multiple possible source addresses

 

 

nsp ipv6 RSS feed   Index | Next | Previous | View Threaded


tperrine at scea

Jan 17, 2012, 5:04 PM

Post #1 of 15 (2318 views)
Permalink
ip6tables and multiple possible source addresses

Someone must have already figured this out; I'm feeling "virtual Monday"
pretty bad right now :-(

With IPv6 a host can have "lots" (more than 1) of possible IPv6
addresses to use as the source address. I've read the RFCs, so I can
(usually) make a good guess as to which one will be used, but...

When writing a host-specific ip6tables rule, which address do you need
to list? All of the possible Global Scoped addresses?

This seems...... awkward (and error prone).

Am I missing something, or is it that bad?

--tep


ben at bjencks

Jan 17, 2012, 11:10 PM

Post #2 of 15 (2260 views)
Permalink
Re: ip6tables and multiple possible source addresses [In reply to]

On Jan 17, 2012, at 8:04 PM, Tom Perrine wrote:

> Someone must have already figured this out; I'm feeling "virtual Monday" pretty bad right now :-(
>
> With IPv6 a host can have "lots" (more than 1) of possible IPv6 addresses to use as the source address. I've read the RFCs, so I can (usually) make a good guess as to which one will be used, but...
>
> When writing a host-specific ip6tables rule, which address do you need to list? All of the possible Global Scoped addresses?
>
> This seems...... awkward (and error prone).
>
> Am I missing something, or is it that bad?

If you have control over the host, you can set and/or verify its source address selection policy to make sure you use the right IP. If you don't, you shouldn't trust that the IP continues to refer to the same host over long periods of time, and simply filter based on the actual source IP you see at the moment. Besides, if a host starts using a different source address (e.g. privacy addresses) it's very likely that it doesn't *want* to be treated as the same host.

-Ben


gert at space

Jan 18, 2012, 1:50 AM

Post #3 of 15 (2257 views)
Permalink
Re: ip6tables and multiple possible source addresses [In reply to]

Hi,

On Tue, Jan 17, 2012 at 05:04:00PM -0800, Tom Perrine wrote:
> When writing a host-specific ip6tables rule, which address do you need
> to list? All of the possible Global Scoped addresses?

Maybe this is an indication that host-specific ipv6 firewall rules for
"only certain hosts in an otherwise non-trusted /64 subnet" is a stupid
idea right from the start...

Of course it's completely unheard-of that evil host A could imperson
trusted host B's address to circumvent these rules.

Gert Doering
-- NetMaster
--
have you enabled IPv6 on something today...?

SpaceNet AG Vorstand: Sebastian v. Bomhard
Joseph-Dollinger-Bogen 14 Aufsichtsratsvors.: A. Grundner-Culemann
D-80807 Muenchen HRB: 136055 (AG Muenchen)
Tel: +49 (89) 32356-444 USt-IdNr.: DE813185279


marc.blanchet at viagenie

Jan 18, 2012, 4:26 AM

Post #4 of 15 (2265 views)
Permalink
Re: ip6tables and multiple possible source addresses [In reply to]

Le 2012-01-18 à 02:10, Ben Jencks a écrit :

>
> On Jan 17, 2012, at 8:04 PM, Tom Perrine wrote:
>
>> Someone must have already figured this out; I'm feeling "virtual Monday" pretty bad right now :-(
>>
>> With IPv6 a host can have "lots" (more than 1) of possible IPv6 addresses to use as the source address. I've read the RFCs, so I can (usually) make a good guess as to which one will be used, but...
>>
>> When writing a host-specific ip6tables rule, which address do you need to list? All of the possible Global Scoped addresses?
>>
>> This seems...... awkward (and error prone).
>>
>> Am I missing something, or is it that bad?
>
> If you have control over the host, you can set and/or verify its source address selection policy to make sure you use the right IP.

might not work all time, since the source and destination address selection algorithm depends on the destination. Therefore, the host can use address A to reach B and address C to reach D. Moreover, host OS and software (browsers) already implement happy-eyeballs or variations of this that make the assumption even less appropriate.

> If you don't, you shouldn't trust that the IP continues to refer to the same host over long periods of time, and simply filter based on the actual source IP you see at the moment. Besides, if a host starts using a different source address (e.g. privacy addresses) it's very likely that it doesn't *want* to be treated as the same host.


things that _may_ help you Tom is whether the provisioning of the host is done by DHCPv6, which is what many enterprises are using/planning to use. In this case, the host most likely have a single global address and is not going to use temporary addresses.

Marc.


>
> -Ben


holger.zuleger at vodafone

Jan 18, 2012, 4:41 AM

Post #5 of 15 (2275 views)
Permalink
RE: ip6tables and multiple possible source addresses [In reply to]

Hi,

> On Tue, Jan 17, 2012 at 05:04:00PM -0800, Tom Perrine wrote:
> > When writing a host-specific ip6tables rule, which address
> do you need
> > to list? All of the possible Global Scoped addresses?
>
> Maybe this is an indication that host-specific ipv6 firewall rules for
> "only certain hosts in an otherwise non-trusted /64 subnet"
> is a stupid
> idea right from the start...
and this is stupid in IPv4 networks as well.

If you want to have host specific filtering of outgoing traffic, please
use proxies with user authentication.

Anyway, because of the huge address space in IPv6, one option would be
to
spend every host it's own subnet (up to 65000 hosts).
But I wouldn't recommend this...

Regards
Holger


oneingray at gmail

Jan 18, 2012, 5:03 AM

Post #6 of 15 (2258 views)
Permalink
Re: ip6tables and multiple possible source addresses [In reply to]

>>>>> Gert Doering <gert [at] space> writes:
>>>>> On Tue, Jan 17, 2012 at 05:04:00PM -0800, Tom Perrine wrote:

>> When writing a host-specific ip6tables rule, which address do you
>> need to list? All of the possible Global Scoped addresses?

> Maybe this is an indication that host-specific ipv6 firewall rules
> for "only certain hosts in an otherwise non-trusted /64 subnet" is a
> stupid idea right from the start...

> Of course it's completely unheard-of that evil host A could imperson
> trusted host B's address to circumvent these rules.

I tend to agree with that. It makes little sense to use IP
addresses for authentication nowadays, as, e. g., Kerberos and
X.509-based authentication allow for way more secure and
flexible operation.

--
FSF associate member #7257


tjc at ecs

Jan 18, 2012, 5:04 AM

Post #7 of 15 (2258 views)
Permalink
Re: ip6tables and multiple possible source addresses [In reply to]

On 18 Jan 2012, at 12:26, Marc Blanchet wrote:

> things that _may_ help you Tom is whether the provisioning of the host is done by DHCPv6, which is what many enterprises are using/planning to use. In this case, the host most likely have a single global address and is not going to use temporary addresses.

Though DHCPv6 supports temporary addresses. Which may be a good compromise between accountability and user privacy.

Tim


brian.e.carpenter at gmail

Jan 18, 2012, 11:48 AM

Post #8 of 15 (2244 views)
Permalink
Re: ip6tables and multiple possible source addresses [In reply to]

The fact is that

a) this sort of scenario is intrinsic to the design of IPv6, so get used to it.

b) it is *very* hard to get border router and firewall configurations correct
to deal with it. In fact, reports on the reachability of 2404:138:4004::1 and
2001:df0:0:201e::1 would help me a lot right now: they are the same machine,
but we are having difficulty getting them both pingable simultaneously.

c) the IETF is trying to sort this out in the MIF (multiple interface) and
HOMENET WGs, but for now it does seem to be a matter of twiddling router
rules and firewall rules by hand. Not pretty.

Regards
Brian Carpenter

On 2012-01-19 01:26, Marc Blanchet wrote:
> Le 2012-01-18 à 02:10, Ben Jencks a écrit :
>
>> On Jan 17, 2012, at 8:04 PM, Tom Perrine wrote:
>>
>>> Someone must have already figured this out; I'm feeling "virtual Monday" pretty bad right now :-(
>>>
>>> With IPv6 a host can have "lots" (more than 1) of possible IPv6 addresses to use as the source address. I've read the RFCs, so I can (usually) make a good guess as to which one will be used, but...
>>>
>>> When writing a host-specific ip6tables rule, which address do you need to list? All of the possible Global Scoped addresses?
>>>
>>> This seems...... awkward (and error prone).
>>>
>>> Am I missing something, or is it that bad?
>> If you have control over the host, you can set and/or verify its source address selection policy to make sure you use the right IP.
>
> might not work all time, since the source and destination address selection algorithm depends on the destination. Therefore, the host can use address A to reach B and address C to reach D. Moreover, host OS and software (browsers) already implement happy-eyeballs or variations of this that make the assumption even less appropriate.
>
>> If you don't, you shouldn't trust that the IP continues to refer to the same host over long periods of time, and simply filter based on the actual source IP you see at the moment. Besides, if a host starts using a different source address (e.g. privacy addresses) it's very likely that it doesn't *want* to be treated as the same host.
>
>
> things that _may_ help you Tom is whether the provisioning of the host is done by DHCPv6, which is what many enterprises are using/planning to use. In this case, the host most likely have a single global address and is not going to use temporary addresses.
>
> Marc.
>
>
>> -Ben
>
>


olipro at 8

Jan 18, 2012, 11:57 AM

Post #9 of 15 (2243 views)
Permalink
Re: ip6tables and multiple possible source addresses [In reply to]

On Tuesday 17 Jan 2012 17:04:00 Tom Perrine wrote:
> Someone must have already figured this out; I'm feeling "virtual Monday"
> pretty bad right now :-(
>
> With IPv6 a host can have "lots" (more than 1) of possible IPv6
> addresses to use as the source address. I've read the RFCs, so I can
> (usually) make a good guess as to which one will be used, but...
>
> When writing a host-specific ip6tables rule, which address do you need
> to list? All of the possible Global Scoped addresses?
>
> This seems...... awkward (and error prone).
>
> Am I missing something, or is it that bad?
>
> --tep

if using DHCPv6 and refusing to route unleased addresses (or subnets)
*isn't* an option for you and SLAAC is a must, then the only real way to
handle this is allocate a /64 *per host* and perform your firewalling on
the CIDR boundary - not an entirely impossible prospect if you have a
reasonable subnet size to play with.

On a side note, one thing to bear in mind is that when you make router
advertisements, you can set AdvOnlink to off which has the effect of
causing /all/ traffic for that subnet to be routed; hosts will not attempt
or use neighbour discovery - useful if you want to use a single subnet
across multiple VLANs.


evyncke at cisco

Jan 18, 2012, 12:32 PM

Post #10 of 15 (2287 views)
Permalink
RE: ip6tables and multiple possible source addresses [In reply to]

Or more simply, with modern (cough since 1995!) switches it is easy to get as many layer-2 domains as you want with VLAN. With IPv6, you usually receives thousands of /64. As it is easy to spoof among a layer-2 (assuming SAVI/SeND are not used) domain for IPv4 and IPv6, then, the best recommendation is to put all hosts with the same security level into one /64 (.1X can help) and build your ip6tables on /64 and not /128. Then SLAAC & DHCP or whatever will work like a charm (assuming basic anti-spoofing)

-éric

> -----Original Message-----
> From: ipv6-ops-bounces+evyncke=cisco.com [at] lists [mailto:ipv6-ops-
> bounces+evyncke=cisco.com [at] lists] On Behalf Of Olipro
> Sent: mercredi 18 janvier 2012 20:58
> To: ipv6-ops [at] lists
> Subject: Re: ip6tables and multiple possible source addresses
>
> On Tuesday 17 Jan 2012 17:04:00 Tom Perrine wrote:
> > Someone must have already figured this out; I'm feeling "virtual Monday"
> > pretty bad right now :-(
> >
> > With IPv6 a host can have "lots" (more than 1) of possible IPv6
> > addresses to use as the source address. I've read the RFCs, so I can
> > (usually) make a good guess as to which one will be used, but...
> >
> > When writing a host-specific ip6tables rule, which address do you need
> > to list? All of the possible Global Scoped addresses?
> >
> > This seems...... awkward (and error prone).
> >
> > Am I missing something, or is it that bad?
> >
> > --tep
>
> if using DHCPv6 and refusing to route unleased addresses (or subnets)
> *isn't* an option for you and SLAAC is a must, then the only real way to
> handle this is allocate a /64 *per host* and perform your firewalling on
> the CIDR boundary - not an entirely impossible prospect if you have a
> reasonable subnet size to play with.
>
> On a side note, one thing to bear in mind is that when you make router
> advertisements, you can set AdvOnlink to off which has the effect of
> causing /all/ traffic for that subnet to be routed; hosts will not attempt
> or use neighbour discovery - useful if you want to use a single subnet
> across multiple VLANs.


cb.list6 at gmail

Jan 18, 2012, 12:40 PM

Post #11 of 15 (2243 views)
Permalink
RE: ip6tables and multiple possible source addresses [In reply to]

I guess I missed why the simplest answer does not apply

If you are already creating host specific iptables, why not just use a
static address that is permanent? This really works the same in ipv4 and
ipv6, right?

Cb


brian.e.carpenter at gmail

Jan 18, 2012, 5:56 PM

Post #12 of 15 (2242 views)
Permalink
Re: ip6tables and multiple possible source addresses [In reply to]

On 2012-01-19 09:40, Cameron Byrne wrote:
> I guess I missed why the simplest answer does not apply
>
> If you are already creating host specific iptables, why not just use a
> static address that is permanent? This really works the same in ipv4 and
> ipv6, right?

Yes, but static addresses are an ivitation to trouble later on.
http://tools.ietf.org/html/draft-carpenter-6renum-static-problem

Brian


mohacsi at niif

Jan 19, 2012, 12:48 AM

Post #13 of 15 (2241 views)
Permalink
Re: ip6tables and multiple possible source addresses [In reply to]

On Thu, 19 Jan 2012, Brian E Carpenter wrote:

> On 2012-01-19 09:40, Cameron Byrne wrote:
>> I guess I missed why the simplest answer does not apply
>>
>> If you are already creating host specific iptables, why not just use a
>> static address that is permanent? This really works the same in ipv4 and
>> ipv6, right?
>
> Yes, but static addresses are an ivitation to trouble later on.
> http://tools.ietf.org/html/draft-carpenter-6renum-static-problem

Which is more frequent, renumbering or tweaking firewall rules? There is a
tradeoff - everybody should decide according their taste.
Best Regards,
Janos Mohacsi


jens.weibler at h-da

Jan 19, 2012, 1:55 AM

Post #14 of 15 (2266 views)
Permalink
Re: ip6tables and multiple possible source addresses [In reply to]

On 19.01.2012 09:48, Mohacsi Janos wrote:
> Which is more frequent, renumbering or tweaking firewall rules? There
> is a tradeoff - everybody should decide according their taste.

In my opinion firewalls should change their behaviour in flexible rules.
I don't want to enter the prefix explicitly in each rule but only the
host part.

Example:
I configure my currently prefix 2001:db8::/48 as prefix-set MY-NETWORK.
In a rule I only use MY-NETWORK:dead:beef:0:1.

On the big day of prefix change I advance my prefix-set by simply adding
the new prefix - letting the old one still there..
After the renumbering phase I simply delete my old prefix 2001:db8::/48
from the prefix-set and I'm done.

Firewalls have to change for real ipv6 ops.


And by the way: I really don't care for my servers on the renumbering
day. They are all static configured but managed by puppet. Changing the
ip will just be a small script.

--
Jens Weibler
IT-Services

Hochschule Darmstadt
www.h-da.de
University of Applied Sciences

Fachbereich Informatik
www.fbi.h-da.de
Schöfferstr. 8b
D-64295 Darmstadt
Tel +49 6151 16-8425
Fax +49 6151 16-8935
jens.weibler [at] h-da
Attachments: smime.p7s (4.57 KB)


gert at space

Jan 19, 2012, 2:59 AM

Post #15 of 15 (2245 views)
Permalink
Re: ip6tables and multiple possible source addresses [In reply to]

Hi,

On Thu, Jan 19, 2012 at 10:55:16AM +0100, Jens Weibler wrote:
> I configure my currently prefix 2001:db8::/48 as prefix-set MY-NETWORK.
> In a rule I only use MY-NETWORK:dead:beef:0:1.
>
> On the big day of prefix change I advance my prefix-set by simply adding
> the new prefix - letting the old one still there..
> After the renumbering phase I simply delete my old prefix 2001:db8::/48
> from the prefix-set and I'm done.
>
> Firewalls have to change for real ipv6 ops.

Seconded. That is one of the big things that needs to change (and not
only in firewalls, but also in DNS and DHCPv6 management software, etc.).

Gert Doering
-- NetMaster
--
have you enabled IPv6 on something today...?

SpaceNet AG Vorstand: Sebastian v. Bomhard
Joseph-Dollinger-Bogen 14 Aufsichtsratsvors.: A. Grundner-Culemann
D-80807 Muenchen HRB: 136055 (AG Muenchen)
Tel: +49 (89) 32356-444 USt-IdNr.: DE813185279
Attachments: smime.p7s (7.47 KB)

nsp ipv6 RSS feed   Index | Next | Previous | View Threaded
 
 


Interested in having your list archived? Contact Gossamer Threads
 
  Web Applications & Managed Hosting Powered by Gossamer Threads Inc.