IPv6 ingress filtering
Kurt Buff - GSEC, GCIH
kurt.buff at gmail.com
Sat May 18 02:05:40 CEST 2019
On Fri, May 17, 2019 at 3:54 PM Brian E Carpenter
<brian.e.carpenter at gmail.com> wrote:
>
> On 18-May-19 09:07, Kurt Buff - GSEC, GCIH wrote:
> > On Fri, May 17, 2019 at 1:59 PM Enno Rey <erey at ernw.de> wrote:
> >>
> >> Hi,
> >>
> >> On Fri, May 17, 2019 at 01:45:56PM -0700, Kurt Buff - GSEC, GCIH wrote:
> >>> Forgive the intrusion, as I seek a bit of clarity.
> >>>
> >>> MSFT DirectAccess seems to use the address range in question:
> >>>
> >>> Tunnel adapter iphttpsinterface:
> >>>
> >>> Connection-specific DNS Suffix . :
> >>> IPv6 Address. . . . . . . . . . . : 2002:4332:aaaa:bbbb:cccc:dddd:eeee:ffff
> >>> Temporary IPv6 Address. . . . . . : 2002:4332:aaaa:bbbb:cccc:dddd:eeee:ffff
> >>> Temporary IPv6 Address. . . . . . : 2002:4332:aaaa:bbbb:cccc:dddd:eeee:ffff
> >>> Link-local IPv6 Address . . . . . : fe80::75e4:c4b3:fae6:237c%2
> >>> Default Gateway . . . . . . . . . :
> >>>
> >>> It seems to me that filtering this range might hurt a bit, unless I'm
> >>> mistaking what some are proposing.
> >>
> >> not being an MS DirectAccess expert I'd say that - given DA is a VPN technology, using IP-HTTPS as a (somewhat proprietary) tunnel tech - these addresses shouldn't be visible too much "in the [public] IPv6 Internet" so the proposed filtering (of this thread) shouldn't come into play.
> >>
> >> cheers
> >>
> >> Enno
> >
> > So, network filters aren't going to gratuitously inspect IPv4 packets
> > for IPv6 content.
>
> Let's hope not, but what possessed Microsoft to make them use the
> 2002::/16 prefix in this way is an interesting question in itself.
> In 6to4 format, 4332:aaaa would imply a site IPv4 address of
> 67.50.170.170. And cccc:dddd:eeee:ffff doesn't look much like
> a pseudo-random temporary interface identifier.
>
> Maybe it's never a good idea to look underneath the hood of a VPN.
LOL!
Obfuscation has its uses...
Kurt
More information about the ipv6-ops
mailing list