mh (RE: OMB: IPv6 by June 2008)
Iljitsch van Beijnum
iljitsch at muada.com
Fri Jul 8 18:58:53 UTC 2005
On 8-jul-2005, at 19:34, Fred Baker wrote:
> A NAT, in that context, is a stateful firewall that changes the
> addresses, which means that the end station cannot use IPSEC to
> ensure that it is still talking with the same system on the
> outside. It is able to use TLS, SSH, etc as transport layer
> solutions, but those are subject to attacks on TCP such as RST
> attacks, data insertion, acknowledge hacking, and so on, and SSH
> also has a windowing problem (on top of TCP's window, SSH has its
> own window, and in large delay*bandwidth product situations SSH's
> window is a performance limit). In other words, a NAT is a man-in-
> the-middle attack, or is a device that forces the end user to
> expose himself to man-in-the-middle attacks.
>
>
:-)
> A true stateful firewall that allows IPSEC end to end doesn't
> expose the user to those attacks.
>
>
I of course couldn't resist, so:
!
ipv6 access-list out-ipv6-acl
permit ipv6 any any reflect state-acl
!
ipv6 access-list in-ipv6-acl
evaluate state-acl
deny ipv6 any any log
!
(don't try this at home, kids: that deny any is dangerous because it
blocks neighbor discovery)
Unfortunately, IPsec (ESP transport mode) isn't allowed back in:
%IPV6-6-ACCESSLOGNP: list in-ipv6-acl/20 denied 50 2001:1AF8:2:5::2 -
> 2001:1AF8:6:0:20A:95FF:FEF5:246E, 29 packets
On second thought: how could it? The SPIs for outgoing and incoming
packets are different. I suppose it would be possible for the
stateful filter to snoop the ISAKMP protocol and install filter rules
based on the information found there, but that's obviously not what
happens.
More information about the NANOG
mailing list