Re: IPv6 and firewall policies?

["Paul D. Robertson" <paul () compuwar net>]

On Mon, 1 Nov 2004, Darren Reed wrote:

> > We were fortunate in starting with ALGs for IPv4 firewalling, because it
> > took away so many of the issues with fragmentation, flags and
> > segmentation- or at least relegated them to a single stack's
> > implementation.  With IPv6, I'm afraid we're going to come at it from a
> > packet filter first approach, and that's got me worried that we're going
> > to go through the same cycle all over again.
>
> To some extent, I think you're right...
>
> Some web resources I found quickly:
>
> http://www.terena.nl/conferences/tnc2004/core_getfile.php?file_id=323
> http://www.seanconvery.com/v6-v4-threats.pdf

Thanks, I'll add those to my ever enlarging IPv6 bookmarks...

> There's only one free firewall I wouldn't use for IPv6 - pf.

*cough* that won't get any response *cough* ;)

> It has no ability to match (and drop) packets given the presence of
> IPv6 extension headers except for fragments (drops automatically),
> leaving you open to attack through use of routing headers (at the
> very least.)  Maybe they don't consider this a problem, I don't know,
> but everyone else seems to let you filter on extension headers and
> the routing header is deemed to be the IPv6 equivalent of IPv4's
> loose source routing option and what does everyone do with that?

Well, it seems at least firewalls won't be obsoleted by v6- but that's all
the good news I can see so far.

> So I think there's some amount of danger in going through that cycle
> again if things like that can be ignored but some people are aware of
> these things and are documenting them and making sure people are not
> left in the blind about the risks, etc.

I'm just afraid that given the specs, and the "though shalt support all
this foo" stuff that we're in for a cycle that includes lots of pain, kind
of like IPSec originally.

I've just started going through the v6ops archives[1], it's good to see
that security is being raised in some of the discussions, but all the tunnel
broker and routing stuff has me at least slightly worried, as does the
zeroconf foo.

Still, perhaps v6 will give us the chance to get folks to do egress
filtering at their borders by default- maybe that's where we should be
pushing firewall author's/vendor's buttons first?

Paul
[1] http://ops.ietf.org/lists/v6ops/
-----------------------------------------------------------------------------
Paul D. Robertson      "My statements in this message are personal opinions
paul () compuwar net       which may have no basis whatsoever in fact."
probertson () trusecure com Director of Risk Assessment TruSecure Corporation
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards