Re: IPv6 and firewall policies?

["Paul D. Robertson" <paul () compuwar net>]

On Sat, 30 Oct 2004, Darren Reed wrote:

> In some email I received from Paul D. Robertson, sie wrote:
> > Is anyone doing anything with IPv6 other than either "let it back if I
> > talk it out," "block it completely," or "ignore it and hope it goes away?"
>
> I'm rather dismayed at firewalling and IPv6, even just within packet
> filters, because there seems to be little understandng (as yet) of
> what IPv6 does and can do, along with the security implications of
> that.  What extension headers need to be blocked ?  What ones are
> safe to allow ?  What are the risks with each of these ?
>
> Are you asking because it is within scope, asking whether or not
> it should be included in the scope or something else ?

I'm just trying to figure out where things are now and what strategies
should be be employed from there moving forward.

We were fortunate in starting with ALGs for IPv4 firewalling, because it
took away so many of the issues with fragmentation, flags and
segmentation- or at least relegated them to a single stack's
implementation.  With IPv6, I'm afraid we're going to come at it from a
packet filter first approach, and that's got me worried that we're going
to go through the same cycle all over again.

Paul
-----------------------------------------------------------------------------
Paul D. Robertson      "My statements in this message are personal opinions
paul () compuwar net       which may have no basis whatsoever in fact."
probertson () trusecure com Director of Risk Assessment TruSecure Corporation
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards