Educause Security Discussion mailing list archives
Re: IPv6 and DHCP and ICMP
From: John Ladwig <John.Ladwig () SO MNSCU EDU>
Date: Wed, 23 May 2012 21:22:43 +0000
ICMPv4 should *never* have been "completely eliminated" from public network (interacting with local network), but there's only a small set of messages that *need* to pass an Internet/local policy boundary. Limited, yes, but I've seen way to many blanket drop policies that I'm a little touchy on the subject. There's a slightly larger set of required ICMPv6 messages that must cross an Internet/local policy boundary to enable, for example, path-MTU discovery. Our current proposals, LAN and WAN testbed configurations follow RFC 4890 ICMPv6 recommendations for firewall transit "must not be dropped" and "normally should not be dropped" pretty closely, although we're not currently testing mobile IPv6, and haven't decided whether to support it in the near term. -jml From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Manjak, Martin Sent: Wednesday, May 23, 2012 3:49 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] IPv6 and DHCP and ICMP I want to focus on one point the Randy made at the end of his post (below), i.e., scanning. In the v4 world, best practices emerged that limited or completely eliminated ICMP from the public network. Since Randy is encouraging re-calibration, we're wondering if these types of filters on the public side of the router are still recommended, worthwhile, or even feasible given the role ICMP plays in v6 assignments. Marty Manjak ISO University at Albany The University at Albany will never ask you to reveal your password. Please ignore all such requests. From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of randy marchany Sent: Wednesday, May 23, 2012 2:36 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] IPv6 and DHCP I would encourage everyone to listen to Phil's talk. My point is that the v6 address space will force a change in the way we approach security. No more sequential scanning of a subnet (takes too long) but definitely more cluster based scanning (found a v6 address, scan +-1 address on either side to find clusters of similar services perhaps?). Our Moving Target Defense work (google MT6D) and prototypes show dynamic address switching in v6 works. We're trying to figure out the implications of this with respect to IDS/IPS and firewalls. In other words, we (the US) will have to move to v6 eventually since the rest of the world is (particularly the Asian countries), so start investigating how to implement it. -Randy
Current thread:
- Re: IPv6 and DHCP and ICMP Manjak, Martin (May 23)
- Re: IPv6 and DHCP and ICMP Morrow Long (May 23)
- Re: IPv6 and DHCP and ICMP John Ladwig (May 23)
- Re: IPv6 and DHCP and ICMP Michael Sinatra (May 23)
- Re: IPv6 and DHCP and ICMP randy marchany (May 23)
- Re: IPv6 and DHCP and ICMP John Ladwig (May 24)
- Re: IPv6 and DHCP and ICMP Everett, Alex D (May 24)
- Re: IPv6 and DHCP and ICMP John Ladwig (May 24)
- Re: IPv6 and DHCP and ICMP Michael Sinatra (May 23)