Modify

Opened 7 years ago

Closed 7 years ago

#8599 closed defect (wontfix)

6to4 returns from 192.88.99.2 are blocked

Reported by: cybjit <cybjit@…> Owned by: developers
Priority: normal Milestone: Backfire 10.03.1
Component: base system Version: Backfire 10.03.1 RC4
Keywords: ipv6 6to4 Cc:

Description

6to4 setup

config 'interface' 'wan6'
        option 'proto' '6to4'
        option 'mtu'   '1280'

tcpdump of successful ping www.sixxs.net

16:13:19.185133 IP myhost > 192.88.99.1: IP6 2002:xxxx:yyyy::1 > 2001:1af8:1:f006::6: ICMP6, echo request, seq 8, length 64
16:13:19.227230 IP 192.88.99.1 > myhost: IP6 2001:1af8:1:f006::6 > 2002:xxxx:yyyy::1: ICMP6, echo reply, seq 8, length 64

tcpdump of failed ping www.kame.net:

15:57:03.125221 IP myhost > 192.88.99.1: IP6 2002:xxxx:yyyy::1 > 2001:200:dff:fff1:216:3eff:feb1:44d7: ICMP6, echo request, seq 8, length 64
15:57:03.429727 IP 192.88.99.2 > myhost: IP6 2001:200:dff:fff1:216:3eff:feb1:44d7 > 2002:xxxx:yyyy::1: ICMP6, echo reply, seq 8, length 64
15:57:03.429938 IP myhost > 192.88.99.2: ICMP myhost protocol 41 port 0 unreachable, length 132

No idea if 192.88.99.2 is valid, but other boxes accept it.

Attachments (0)

Change History (8)

comment:1 Changed 7 years ago by cybjit <cybjit@…>

Workaround firewall rule:

config 'rule'
        option 'target' 'ACCEPT'
        option '_name' 'all6to4'
        option 'src' 'wan'
        option 'proto' 'all'
        option 'src_ip' '192.88.99.0/24'

comment:2 Changed 7 years ago by jow

Thank you for the information. I think this should be a documentation item at best, I'd like to avoid putting firewall modifications into the 6to4 package itself.

comment:3 Changed 7 years ago by Cybjit

Ug, that was not enough, for example 6bonehead.cbbtier3.att.net and teredo.bb.trex.fi sends 6to4 packets, but does not use 192.88.99.0/24:

17:13:57.041699 IP myhost > 192.88.99.1: IP6 2002:xxxx:yyyy::1 > 2001:1890:1112:1::2a: ICMP6, echo request, seq 7, length 64
17:13:57.232639 IP 12.0.1.56 > myhost: IP6 2001:1890:1112:1::2a > 2002:xxxx:yyyy::1: ICMP6, echo reply, seq 7, length 64
17:13:57.232849 IP myhost > 12.0.1.56: ICMP myhost protocol 41 port 0 unreachable, length 132

Which means everything from 41 has to be accepted.
Seems like anyone could spoof any IPv6 addresses using this?

config 'rule'
        option 'target' 'ACCEPT'
        option '_name' 'all6to4'
        option 'src' 'wan'
        option 'proto' '41'

comment:4 follow-up: Changed 7 years ago by jow

Yes, thats one big downside of the open-by-design 6to4 anycast infrastructure. If you haven to have a bad server nearby you're basically sol.

comment:5 Changed 7 years ago by jow

s/haven/happen/

comment:6 in reply to: ↑ 4 ; follow-up: Changed 7 years ago by cybjit <cybjit@…>

Replying to jow:

Yes, thats one big downside of the open-by-design 6to4 anycast infrastructure. If you happen to have a bad server nearby you're basically sol.

Well, if all 6to4 relays used 192.88.99.0/24 the spoofing problem would at least be restricted to those that can already spoof IPv4.

comment:7 in reply to: ↑ 6 Changed 7 years ago by steelman <stlman@…>

Replying to cybjit <cybjit@…>:

Replying to jow:

Yes, thats one big downside of the open-by-design 6to4 anycast infrastructure. If you happen to have a bad server nearby you're basically sol.

Well, if all 6to4 relays used 192.88.99.0/24 the spoofing problem would at least be restricted to those that can already spoof IPv4.

According to "Security considerations" of RFC3056 6to4 gateway (i.e. your router) should accept protocol 41 traffic should be accepted "from any source from which regular IPv4 traffic is accepted".

In fact that is not such a big issue after all. You simply have to protect yourself on the IPv6 side (ip6tables).

IMHO 6to4 scripts should add firewall rules to accept the traffic by default.

comment:8 Changed 7 years ago by jow

  • Resolution set to wontfix
  • Status changed from new to closed

Allowing protocol 41 in the firewall is beyound the scope of this package.

Add Comment

Modify Ticket

Action
as closed .
The resolution will be deleted. Next status will be 'reopened'.
Author


E-mail address and user name can be saved in the Preferences.

 
Note: See TracTickets for help on using tickets.