Firewall Wizards mailing list archives
Re: IPv6 support in firewalls
From: "Mike Barkett" <mbarkett () us checkpoint com>
Date: Wed, 22 Aug 2007 20:02:05 -0400
Date: Wed, 22 Aug 2007 12:56:27 -0700 From: Darren Reed <darrenr () reed wattle id au> Subject: Re: [fw-wiz] IPv6 support in firewalls To: Firewall Wizards Security Mailing List <firewall-wizards () listserv cybertrust com> Cc: "Marcus J. Ranum" <mjr () ranum com>, dave () corecom com Message-ID: <46CC94EB.10707 () reed wattle id au> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Marcus J. Ranum wrote:It shouldn't be. Let's see - it took HOW long to even sort out the most obvious DOS vectors in V4, which was a vastly simpler protocol. The recent rumblings about problems in V6 indicate that finding flaws in V6 will be a lot like hunting Passenger Pigeons was in the 1700's: point your shotgun at the sky and pull the trigger and several will fall at your feet.The security problems are the same, just that some have different names now. Loose/strict source routing options from IPv4 are present in IPv6 under a new guise - this new costume resulted in a few platforms shipping with processing of then enabled by default. In IPv6 the devils are extension headers and in this case, the routing extension header (but only type 0, so they say...) Darren
Some of the problems are a bit different due to the increased scale. For example, can you think of a good way to proactively scan an entire IPv6 subnet for vulnerabilities and rogue hosts? With v4 and RFC 1918, it is barely feasible to actively scan 10/8 within a reasonable amount of time, so v6 presents a new challenge in this respect. Basically, you have to wait until something starts talking and then go out and scan it. Either way, you're going to be waiting a while before you even know it's there. -MAB -- Michael A Barkett, CISSP IPS Security Engineering Director Check Point Software Technologies +1.240.632.9000 Fax: +1.240.747.3512 _______________________________________________ firewall-wizards mailing list firewall-wizards () listserv icsalabs com https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Re: IPv6 support in firewalls Mike Barkett (Aug 23)
- Re: IPv6 support in firewalls Steven M. Bellovin (Aug 23)
- Re: IPv6 support in firewalls Marcus J. Ranum (Aug 24)
- Re: IPv6 support in firewalls Steven M. Bellovin (Aug 24)
- Re: IPv6 support in firewalls Marcus J. Ranum (Aug 24)
- <Possible follow-ups>
- Re: IPv6 support in firewalls Roger Marquis (Aug 27)
- Re: IPv6 support in firewalls Jim Seymour (Aug 29)
- Re: IPv6 support in firewalls Steven M. Bellovin (Aug 23)