Bugtraq mailing list archives

Re: IPv4 mapped address considered harmful

From: "Peter J. Holzer" <hjp () wsr ac at>
Date: Fri, 23 Aug 2002 09:54:56 +0200

On 2002-08-23 01:18:40 +0900, Jun-ichiro itojun Hagino wrote:

2.  Threats due to the use of IPv4 mapped address on wire

When userland application on top of AF_INET6 API sees peers with IPv4
mapped addresses (like by getpeername(2) or recvfrom(2)), it cannot
detect if the packet actually was IPv4 (IPv4 mapped address appeared due
to basic API behavior) or IPv6 (SIIT behavior).


I don't think it should care.

This ambiguity creates chances to malicious party to trick victim nodes.
Here are a couple of examples:

o By transmitting IPv6 packet with ::ffff:127.0.0.1 in IPv6 source
  address field, applications that assume basic API behavior will be
  tricked to believe that the packet is from the node itself (IPv4
  loopback address, 127.0.0.1).

o By transmitting IPv6 packet to firewall device, with IPv4 mapped
  address corresponds to address inside the firewall (like
  ::ffff:10.1.1.1) as the IPv6 source address, malicious party could
  bypass IPv4 filtering rules and inject traffic inside the firewall.

o Assume that the victim node is an IPv4/v6 dual stack node.  By
  transmitting IPv6 packet with IPv4 mapped address corresponds to IPv4
  broadcast address (::ffff:10.255.255.255) in IPv6 source address
  field, to TCP/UDP port that swaps IPv6 source and destination address
  (e.g. UDP port 53, DNS), malicious node can trick the victim node to
  generate improper IPv4 broadcast traffic; This is because basic API on
  the victim node will emit transmission requests to destination IPv4
  mapped address, ::ffff:10.255.255.255, into IPv4 traffic.


How are these examples more dangerous with IPv6 than with plain IPv4?
You can just send those packets as plain IPv4 packets and get exactly
the same effect. Also the remedy in all three cases is the same: Reverse
path filtering in the first two cases, not setting SO_BROADCAST in the
last (or filtering of martians in the kernel).

I agree that some people will underestimate the complexity of supporting
both IPv4 and IPv6 and therefore make errors which they wouldn't have
made with IPv4 only, but your examples don't seem to be especially
illustrative.

        hp

-- 
   _  | Peter J. Holzer      | Aeltere Sources (also solche, die schon
|_|_) | Sysadmin WSR / LUGA  | aelter als 12 Stunden sind) sollte man
| |   | hjp () wsr ac at        | bei Linux generell nicht einsetzen -
__/   | http://www.hjp.at/   | Real Time Linux??    -- Gerhard Schneider

Attachment: _bin
Description:

Current thread:

IPv4 mapped address considered harmful Jun-ichiro itojun Hagino (Aug 22)
- Re: IPv4 mapped address considered harmful Anthony DeRobertis (Aug 27)
  - Re: IPv4 mapped address considered harmful itojun (Aug 27)
    - Re: IPv4 mapped address considered harmful Anthony DeRobertis (Aug 27)
    - Re: IPv4 mapped address considered harmful itojun (Aug 27)
    - Re: IPv4 mapped address considered harmful Anthony DeRobertis (Aug 27)
    - Re: IPv4 mapped address considered harmful itojun (Aug 27)
    - Re: IPv4 mapped address considered harmful Anthony DeRobertis (Aug 27)
- Re: IPv4 mapped address considered harmful Peter J. Holzer (Aug 27)
- Re: IPv4 mapped address considered harmful Mark Tinberg (Aug 27)
  - Re: IPv4 mapped address considered harmful itojun (Aug 27)
    - Re: IPv4 mapped address considered harmful Mark Tinberg (Aug 27)