[asterisk-dev] [Code Review] Make ACLs IPv6-capable

Mark Michelson mmichelson at digium.com
Thu Jul 15 09:45:46 CDT 2010 

On 07/15/2010 08:55 AM, Mark Michelson wrote:
> On 07/15/2010 06:35 AM, Simon Perreault wrote:
>    
>> On 2010-07-15 04:00, Olle E. Johansson wrote:
>>
>>      
>>> While this may be clever, it will be much harder separating IPv4 and IPv6 addresses. If I want to deny all IPv4 but not IPv6 the syntax will be hard to find out, even though it's possible for IPv4. I can't figure out how you deny all IPv6 addresses this way. We might want to explore adding prefixes just to make the configuration easier to handle and read.
>>>
>>> deny=ipv4,0.0.0.0
>>> deny=ipv6,0::0    ; Just deny all IPv6, but allow IPv4
>>>
>>>        
>> You shouldn't have to specify "ipv4" or "ipv6" in the config file. It's
>> easy to distinguish between the two types based on just the address itself.
>>
>> That said, you may be onto something here. What happens if I say
>>
>> deny=::/0
>>
>> Will that also block IPv4 completely?
>>
>> I don't think it should.
>>
>> Simon
>>
>>      
> Thanks for the feedback, guys. You bring up some good points that have
> shown that my instincts do not align with yours.
>
> There were two driving forces behind the way I implemented this. First,
> my tendency is to lean towards having an ACL err towards denying traffic
> rather than allowing it. To give an example of what I mean, a common ACL
> scheme in IPv4-only Asterisk versions is something like:
>
> deny = 0.0.0.0/0
> *bunch of permit lines for specific IP addresses*
>
> The idea here is to deny all traffic except for whitelisted addresses.
> My thought is that on an upgrade, the principle of least surprise would
> dictate that the whitelisted addresses are still the only ones allowed
> access even though there is no specific ACL to deny IPv6 addresses. The
> gist of this is that I decided that, in general, IPv4-specific ACLs
> should also apply to IPv6 addresses.
>
> Now, the second thing that influenced me is IPv4-mapped IPv6 addresses.
> Consider a simple ACL like:
>
> deny = 10.0.0.0/8
>
> Obviously, this should deny all IPv4 traffic from the 10.0.0.0 network.
> But what happens if you are told the source of a SIP request is
> ::ffff:10.17.34.211? This is an IPv6 address, so should the above ACL be
> applied? I would think so, but maybe this isn't what is expected. What
> do you think?
>
> Consider Simon's example ACL of:
>
> deny=::/0
>
> First off, my tendency to err on the side of denying traffic leads me to
> believe everything should be blocked, even IPv4 traffic. But let's go
> the other way and say that this will only apply to IPv6 addresses.
> Again, we are told the source of a SIP request is ::ffff:10.17.34.211.
> This is an IPv6 address, so the ACL should apply, right? But then again,
> it's an IPv4-mapped address, so maybe it should only be run through IPv4
> ACLs? Should a user expect the address to be denied or not?
>
> Of course, this can apply the opposite way as well. If someone in a very
> IPv6-centric installation puts an ACL like:
>
> deny=::ffff:0:0/96
>
> will this block only IPv4-mapped addresses or will it block IPv4
> addresses, too?
>
> I think Olle may be on the right track in that we can add specifiers to
> ACLs so that there is no chance of surprise, since it appears that
> instincts on what traffic will be permitted and denied varies from
> person to person. I would offer a slight change to the proposed syntax
> though just to ease coding and upgrading. I suggest that after a
> netmask, a user may specify "ipv4" or "ipv6" to indicate that the ACL
> should only be applied to addresses of a specific scheme. Here are some
> examples:
>
> 1. deny = 0.0.0.0/0      ;Applies to IPv4 and IPv6 addresses since no
> specifier was added
> 2. deny = 0.0.0.0/0/ipv4 ;Applies to IPv4 addresses (and perhaps
> IPv4-mapped IPv6 addresses?)
> 3. deny = 0.0.0.0/0/ipv6 ;Applies only to IPv4-mapped IPv6 addresses.
> Not terribly useful.
> 4. deny = ::/0           ;Applies to IPv4 and IPv6 addresses since no
> specifier was added
> 5. deny = ::/0/ipv6      ;Applies only to IPv6 addresses (includes
> IPv4-mapped IPv6 addresses)
> 6. deny = ::/0/ipv4      ;Applies to IPv4 and IPv4-mapped IPv6 addresses
>
> Let me know what you think about all this, and again, thanks for the
> quick feedback on this.
>
> Mark Michelson
>    
After reading more of Simon's comments, I'm inclined to think that I may 
have overthought this way too much. Basically, the consensus between 
Olle and Simon is that IPv4 ACLs should only apply to IPv4 and 
IPv4-mapped addresses, and IPv6 ACLs should only apply to IPv6 addresses 
(which would include IPv4-mapped addresses, too, I suppose). I shouldn't 
try to extrapolate more than what's on the page, so to speak. If someone 
just has

deny = 0.0.0.0/0

then it is their responsibility to change their ACLs to also deny IPv6 
traffic if that's what they wish to do.
I'm going to get to work to change things around. I'll just close the 
current review request and open a new one since I imagine the new 
request will not resemble the old one very much.

Thanks again for the feedback guys! Making mistakes is the best way to 
learn something new :)

Mark Michelson

More information about the asterisk-dev mailing list