Firewall Wizards mailing list archives
Re: IPv6 support in firewalls
From: Darren Reed <darrenr () reed wattle id au>
Date: Wed, 22 Aug 2007 12:56:27 -0700
Marcus J. Ranum wrote:
Dave Piscitello wrote:I suppose I should begin by answering "why the interest in IPv6?" question. Simply put, we are running out of IPv4 addresses (yeah, I know, the Sky is Falling, NAT will save us forever...). Based on current consumption rates, some folks speculate that the remaining addresses not yet distributed by IANA will be exhausted by 2009.This prediction was made before, if I recall correctly. In 1994. Except that we were going to run out, uh, in 1999. Yes, the sky is falling, but it appears to be falling fairly slowly and gently. :) Perhaps something better than IPv6 will still come along. You know, like what a few of us suggested back in 1992 - namely doubling the address size, left-filling with zeroes, and bumping the version number? ;)
.. It's not just this, people today want to deploy/build large scale IP networks where 10/8 isn't enough, not to mention giving those addresses visibility to the Internet. The only way that they can plan to do this is by specifying that IPv6 is used - there is no other alternative. Anyone want to start a pool/tab on when the sky will reach the ground? :)
But, to your real point:I'm not convinced we can even meet the modest (that's as polite as I can be) security baseline we achieve with IPv4 security products with available IPv6 security products. What little I've learned in the short time I've spent asking security companies about IPv6 support isn't encouraging.It shouldn't be. Let's see - it took HOW long to even sort out the most obvious DOS vectors in V4, which was a vastly simpler protocol. The recent rumblings about problems in V6 indicate that finding flaws in V6 will be a lot like hunting Passenger Pigeons was in the 1700's: point your shotgun at the sky and pull the trigger and several will fall at your feet.
The security problems are the same, just that some have different names now. Loose/strict source routing options from IPv4 are present in IPv6 under a new guise - this new costume resulted in a few platforms shipping with processing of then enabled by default. In IPv6 the devils are extension headers and in this case, the routing extension header (but only type 0, so they say...) As with IPv4, a standard TCP connection between two IPv6 hosts requires no special options, so if you're looking for an IPv6 firewall, look for one that simply allows you to block all packets with extension headers. This will undoubtedly offend all manner of IPv6 folks, but that's the place we have to start with for IPv6. Darren _______________________________________________ firewall-wizards mailing list firewall-wizards () listserv icsalabs com https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Re: New to Cisco PIX/ ASA, (continued)
- Re: New to Cisco PIX/ ASA ArkanoiD (Aug 21)
- Re: New to Cisco PIX/ ASA Jason (Aug 22)
- CSA Question Carric Dooley (Aug 21)
- IPv6 support in firewalls Dave Piscitello (Aug 21)
- Re: IPv6 support in firewalls ArkanoiD (Aug 22)
- Re: IPv6 support in firewalls Marcus J. Ranum (Aug 22)
- Re: IPv6 support in firewalls Shahin Ansari (Aug 22)
- Re: IPv6 support in firewalls Dave Piscitello (Aug 23)
- Re: IPv6 support in firewalls Mohit Sharma (Aug 23)
- Re: IPv6 support in firewalls Marcus J. Ranum (Aug 23)
- Re: IPv6 support in firewalls Darren Reed (Aug 22)
- Message not available
- Re: IPv6 support in firewalls Darren Reed (Aug 23)
- Re: IPv6 support in firewalls Shahin Ansari (Aug 23)
- Re: New to Cisco PIX/ ASA ArkanoiD (Aug 21)
- Re: IPv6 support in firewalls Marcus J. Ranum (Aug 23)
- ***SPAM*** Re: IPv6 support in firewalls Dave Piscitello (Aug 23)
- Re: IPv6 support in firewalls Patrick M. Hausen (Aug 23)
- ***SPAM*** Re: IPv6 support in firewalls Dave Piscitello (Aug 23)
- Re: ***SPAM*** Re: IPv6 support in firewalls ArkanoiD (Aug 24)
- Re: ***SPAM*** Re: IPv6 support in firewalls Patrick M. Hausen (Aug 27)
- Re: IPv6 support in firewalls Behm, Jeffrey L. (Aug 27)
- Re: IPv6 support in firewalls ArkanoiD (Aug 27)