

Apple fixes broken IPv6 by breaking it some more - abraham
http://arstechnica.com/apple/news/2010/11/apple-fixes-broken-ipv6-by-breaking-it-some-more.ars

======
trotsky
Good for them. Because security infrastructure has lagged far behind, on by
default v6 encapsulation schemes like 6to4, teredo, and isatap amount to huge
attack surfaces. When 99% of the world relies on v4 based network edge packet
filtering these protocols essentially amount to automatic firewall evasion.
Sure the ports can be blocked or DPI can be used by administrators, or users
can turn off these services but the reality is a vast majority are unaware and
vulnerable.

While they (generally) aren't an initial attack vector, they are easily and
often used by attackers that have knowledge of MAC addresses ahead of time, to
hide traffic in plain site after an intrusion, or to hijack traffic in one hop
away scenarios. Look at any non-automated intrusions coming out of asia and
you'll see 6 encapsulation in use two out of three times at least.

Unless the user has turned on these tools intentionally, or is operating in a
legitimate native v6 environment, OS's should never pick 6 first if both
endpoints can complete the route with 4.

~~~
JoachimSchipper
What kind of firewall lets 6to4 through without filtering it at all? "Default
deny" should take care of this.

------
wmf
This article is totally overblown; if a site is available over v4 and v6, why
does it matter which one you use?

~~~
nomis80
Because your IPv4 connection is much more likely to be NATed. This does not
matter for HTTP because it plays nice with NATs, but other protocols are much
pickier. For these other protocols it would make sense to prefer IPv6.

~~~
nomis80
Some more details... While IPv6 should be preferred, 6to4 turned out to not
work so great in practice. So it's a good decision by Apple to prefer IPv4
over it. But other kinds of IPv6 connectivity (including native) should still
be preferred over IPv4.

