Firewall Wizards mailing list archives

SPAM Re: IPv6 support in firewalls

From: Dave Piscitello <dave () corecom com>
Date: Thu, 23 Aug 2007 17:06:55 -0400

I'm sorry, but you are not using the term end-to-end in the correct context.

End-to-end has less do with addressing and more to do with where you putfunctionality. Read Saltzer, Reed and Clark's article on End to endprinciples in system design (ACM) or some classic articles by DavidCheriton, et. al.

End-to-end was directed at the notion of "smart connection endpoints,dumb network", as opposed to a telephony model of "smart network, dumbendpoints (phones)".

Today, very few end user applications and connections are end-to-endaddressed. Look at SSL VPNs. Look at many web or other application datacenters.

We have far more "box in the middle" configurations than end-to-endaddressable connections today, and as my respected colleague, CraigMelson has already stated so elegantly


"One of the great things about the perceived scarcity of IPv4
space on the Internet is that it finally forced most of the
institutions that were still using public addresses for everything
with an Ethernet port in it to implement NAT."

Almost any firewalled configuration uses IP masquerading and that'shugely important. Do you really think it's better to assign publicaddress space behind firewalls? Do you really want everyone to knowevery IP address block your organization uses internally by querying anRIR?


These combined are reasons to implement IPv4 forever:-)

Having said this, I agree with much of what you say about writing anIPv6 firewall. Aside from writing secure code for the IPv6 kernel, a bigchunk of the work is deciding what of the IPv6 datagram header posesecurity threats and how you intend to use or dispose of them. Vendorswho wrote ALGs/proxies may in fact have some advantage over "intensely,pervasively and ecumenically stateful inspection" (aye, Cap'n).

It's not that it is hard Patrick, it's that we have hundreds ofsecurity vendors competing for a tiny fraction of IT budgets, so marginscount. Few product development teams will place IPv6 implementation atthe top of the feature list until the market matures. Currently, I wouldhesitate to even call the IPv6 market nascent (in terms of promise ofrevenue).


So we are stuck between the rock and the hard place.

Patrick M. Hausen wrote:

Hi, wizards,

On Thu, Aug 23, 2007 at 02:42:03PM -0400, Dave Piscitello wrote:
Marcus, a proposal nearly identical to what you suggest was one of the firstpresented at the IETF in the mid-1990s. At the time, the intelligentiaTFpoo-pooed it as not being sufficiently forward-looking and innovative. Itdidn't consider 64-bit alignment. It didn't *fix* options. It didn't *fix*QOS. It didn't accommodate IP security in a "native" manner.
Happily, time wounds all heels. Over a decade later, and we've bent,twisted, tunneled, re-mapped, stretched, and NAT'd IPv4 until it doeseverything IPv6 promised - and now, all IPv6 brings to the table is a biggerfield for addresses and an ungainly, unwanted and arguably unwarrantabletransition scenario.
IPv6 brings back the end-to-end principle and NAT its well-deserved
death. This alone should be enough reason to go for it.

And I don't see what should be paticularly more difficult to
implement in an IPv6 based application level gateway than in
an IPv4 based one. Terminate both connections in a proxy process
instead of messing with headers. Simple and effective.

OK, honestly, I cannot write an "IPv6" firewall on a jug of beer
and I don't claim I could. But some vendors got it mostly right
for IPv4 simply by using transparent proxy processes instead
of "deep adaptive whatever inspection".

And a TCP connection carrying HTTP is a TCP connection carrying
HTTP regardless of the layer 3 protocol. I expect the few remaining
ALG vendors to be the first to have proper IPv6 capable solutions
for this simple architectural reason.

Kind regards,
Patrick M. Hausen
Leiter Netzwerke und Sicherheit

Attachment: dave.vcf
Description:

_______________________________________________
firewall-wizards mailing list
firewall-wizards () listserv icsalabs com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards

Current thread:

Re: IPv6 support in firewalls, (continued)
- - - Re: IPv6 support in firewalls Shahin Ansari (Aug 22)
    - Re: IPv6 support in firewalls Dave Piscitello (Aug 23)
    - Re: IPv6 support in firewalls Mohit Sharma (Aug 23)
    - Re: IPv6 support in firewalls Marcus J. Ranum (Aug 23)
    - Re: IPv6 support in firewalls Darren Reed (Aug 22)
    - Message not available
    - Re: IPv6 support in firewalls Darren Reed (Aug 23)
    - Re: IPv6 support in firewalls Shahin Ansari (Aug 23)
    - Re: IPv6 support in firewalls Marcus J. Ranum (Aug 23)
    - ***SPAM*** Re: IPv6 support in firewalls Dave Piscitello (Aug 23)
    - Re: IPv6 support in firewalls Patrick M. Hausen (Aug 23)
    - ***SPAM*** Re: IPv6 support in firewalls Dave Piscitello (Aug 23)
    - Re: ***SPAM*** Re: IPv6 support in firewalls ArkanoiD (Aug 24)
    - Re: ***SPAM*** Re: IPv6 support in firewalls Patrick M. Hausen (Aug 27)
    - Re: IPv6 support in firewalls Behm, Jeffrey L. (Aug 27)
    - Re: IPv6 support in firewalls ArkanoiD (Aug 27)
    - Re: IPv6 support in firewalls Behm, Jeffrey L. (Aug 27)
    - Re: IPv6 support in firewalls Paul D. Robertson (Aug 27)
    - Re: IPv6 support in firewalls Behm, Jeffrey L. (Aug 27)
    - Re: IPv6 support in firewalls Paul D. Robertson (Aug 27)
    - Re: IPv6 support in firewalls Behm, Jeffrey L. (Aug 27)
    - Re: IPv6 support in firewalls Paul D. Robertson (Aug 27)

(Thread continues...)

Firewall Wizards mailing list archives

***SPAM*** Re: IPv6 support in firewalls

Current thread:

SPAM Re: IPv6 support in firewalls