Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

router: filter IPv4-mapped IPv6 addresses #4415

Closed
matzf opened this issue Oct 10, 2023 · 0 comments · Fixed by #4579
Closed

router: filter IPv4-mapped IPv6 addresses #4415

matzf opened this issue Oct 10, 2023 · 0 comments · Fixed by #4579
Assignees
@jiceatscion
Labels
c/router SCION Router feature New feature or request

Comments

@matzf
Copy link
Contributor

matzf commented Oct 10, 2023

An IPv6 address can represent an IPv4 address, e.g. the IPv6 address ::ffff:172.20.2.2 represents the IPv4 address 172.20.2.2. This is called IPv4-mapped IPv6 address and is intended as a compatibility mechanism in dual stack hosts. These addresses are not intended to be used on the wire.
The SCION address header has explicit representation for IPv4 or IPv6 addresses with an explicit type discriminator. An IPv4 address can be encoded as either IPv4 type, or as IPv6 type containing an IPv4-mapped IPv6 address.
The latter choice is wasteful (16 bytes instead of 4) and not practically useful. The dual representation could potentially be abused to bypass naive or faulty packet filter implementations.

As there does not appear to be an upside in allowing IPv4-mapped IPv6 addresses in the SCION address header. To reduce the risk of abusive or accidental (as in #4377) use of these mapped addresses, the router should filter these packets. The following two processing rules should be added to the router:

  • packets destined for the local AS with an IPv4-mapped IPv6 destination address should be dropped (optional SCMP error message)
  • packets originating from the local AS with an IPv4-mapped IPV6 source address should be dropped (optional SCMP error message)
@matzf matzf mentioned this issue Oct 10, 2023
Merged
@matzf matzf added feature New feature or request c/router SCION Router labels Oct 30, 2023
@jiceatscion jiceatscion self-assigned this Jul 17, 2024
jiceatscion added a commit to jiceatscion/scion that referenced this issue Jul 17, 2024
@jiceatscion
Drop packets with an IP v4 mapped v6 address as either the src or dst…
d63e202 
… host

The check is done on the first hop for src and on the last hop for dst.

Fixes scionproto#4415
@jiceatscion jiceatscion mentioned this issue Jul 17, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@jiceatscion jiceatscion

Labels
c/router SCION Router feature New feature or request
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

router: drop packets with v4 mapped v6 src/dst or unspecified dst hosts jiceatscion/scion
2 participants
@matzf @jiceatscion