Firewall Wizards mailing list archives

Re: IPv6 support in firewalls

From: "Mike Barkett" <mbarkett () us checkpoint com>
Date: Wed, 22 Aug 2007 20:02:05 -0400

Date: Wed, 22 Aug 2007 12:56:27 -0700
From: Darren Reed <darrenr () reed wattle id au>
Subject: Re: [fw-wiz] IPv6 support in firewalls
To: Firewall Wizards Security Mailing List
      <firewall-wizards () listserv cybertrust com>
Cc: "Marcus J. Ranum" <mjr () ranum com>, dave () corecom com
Message-ID: <46CC94EB.10707 () reed wattle id au>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed

Marcus J. Ranum wrote:

It shouldn't be. Let's see - it took HOW long to even sort out the
most obvious DOS vectors in V4, which was a vastly simpler
protocol. The recent rumblings about problems in V6 indicate
that finding flaws in V6 will be a lot like hunting Passenger
Pigeons was in the 1700's: point your shotgun at the sky and
pull the trigger and several will fall at your feet.


The security problems are the same, just that some have different
names now.  Loose/strict source routing options from IPv4 are
present in IPv6 under a new guise - this new costume resulted
in a few platforms shipping with processing of then enabled by
default.  In IPv6 the devils are extension headers and in this case,
the routing extension header (but only type 0, so they say...)
Darren


Some of the problems are a bit different due to the increased scale.  For
example, can you think of a good way to proactively scan an entire IPv6
subnet for vulnerabilities and rogue hosts?  With v4 and RFC 1918, it is
barely feasible to actively scan 10/8 within a reasonable amount of time, so
v6 presents a new challenge in this respect.  Basically, you have to wait
until something starts talking and then go out and scan it.  Either way,
you're going to be waiting a while before you even know it's there.

-MAB

--
Michael A Barkett, CISSP
IPS Security Engineering Director
Check Point Software Technologies
+1.240.632.9000 Fax: +1.240.747.3512

_______________________________________________
firewall-wizards mailing list
firewall-wizards () listserv icsalabs com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards

Current thread:

Re: IPv6 support in firewalls Mike Barkett (Aug 23)
- Re: IPv6 support in firewalls Steven M. Bellovin (Aug 23)
  - Re: IPv6 support in firewalls Marcus J. Ranum (Aug 24)
    - Re: IPv6 support in firewalls Steven M. Bellovin (Aug 24)
- <Possible follow-ups>
- Re: IPv6 support in firewalls Roger Marquis (Aug 27)
- Re: IPv6 support in firewalls Jim Seymour (Aug 29)