Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

router: filter IPv4-mapped IPv6 addresses #4415

Closed
matzf opened this issue Oct 10, 2023 · 0 comments · Fixed by #4579
Closed

router: filter IPv4-mapped IPv6 addresses #4415

matzf opened this issue Oct 10, 2023 · 0 comments · Fixed by #4579
Assignees
Labels
c/router SCION Router feature New feature or request

Comments

@matzf
Copy link
Contributor

matzf commented Oct 10, 2023

An IPv6 address can represent an IPv4 address, e.g. the IPv6 address ::ffff:172.20.2.2 represents the IPv4 address 172.20.2.2. This is called IPv4-mapped IPv6 address and is intended as a compatibility mechanism in dual stack hosts. These addresses are not intended to be used on the wire.
The SCION address header has explicit representation for IPv4 or IPv6 addresses with an explicit type discriminator. An IPv4 address can be encoded as either IPv4 type, or as IPv6 type containing an IPv4-mapped IPv6 address.
The latter choice is wasteful (16 bytes instead of 4) and not practically useful. The dual representation could potentially be abused to bypass naive or faulty packet filter implementations.

As there does not appear to be an upside in allowing IPv4-mapped IPv6 addresses in the SCION address header. To reduce the risk of abusive or accidental (as in #4377) use of these mapped addresses, the router should filter these packets. The following two processing rules should be added to the router:

  • packets destined for the local AS with an IPv4-mapped IPv6 destination address should be dropped (optional SCMP error message)
  • packets originating from the local AS with an IPv4-mapped IPV6 source address should be dropped (optional SCMP error message)
@matzf matzf added feature New feature or request c/router SCION Router labels Oct 30, 2023
@jiceatscion jiceatscion self-assigned this Jul 17, 2024
jiceatscion added a commit to jiceatscion/scion that referenced this issue Jul 17, 2024
… host

The check is done on the first hop for src and on the last hop for dst.

Fixes scionproto#4415
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
c/router SCION Router feature New feature or request
Projects
None yet
Development

Successfully merging a pull request may close this issue.

2 participants