IPv6: Why are IPv4-mapped addresses a security risk?

Question

IPv6: Why are IPv4-mapped addresses a security risk?

For security reasons, OpenBSD does not route IPv4 traffic to the AF_INET6 socket and does not support IPv4 mapped addresses where IPv4 traffic is scanned as if it came from an IPv6 address such as :: ffff: 10.1.1.1. If you want both IPv4 and IPv6 traffic to be accepted, listen to the two sockets.

However, there is no explanation for these “security concerns”. What are they? I cannot think of any security issues related to this display.

+5

security sockets ipv4 ipv6 openbsd

horses explained Aug 17 '15 at 13:41

source share

2 answers

Per johansson · Answer 1 · 2015-08-27T10:27:46+0000

I don’t know specifically what motivation OpenBSD used, but I know at least one problem that could be a security problem, namely ACLs and especially blacklists.

Think that you have an incoming connection from 10.1.1.1. This address is blacklisted in your ACL and you will refuse this connection. But if you use a mapped address, instead it will look like: ffff: 10.1.1.1. Your blacklist may not be able to catch it and may miss the connection.

This can be solved using the application logic, and since using one socket can simplify the code, I personally think that the OpenBSD solution is unsuccessful. It is possible to disable v4mapped by default, but allow it to be enabled through setsockopt .

They could have had more problems, although I do not know.

Sander steffann · Answer 2 · 2015-08-18T21:19:11+0000

As far as I know, the main reason is to block IPv4 and IPv6 stacks. These are the hacks needed to process packets that are on one stack but are executed by others that pose security risks.

IPv6: Why are IPv4-mapped addresses a security risk?

More articles: