Firewall Wizards mailing list archives
Re: IPv6 and firewall policies?
From: "Paul D. Robertson" <paul () compuwar net>
Date: Sun, 31 Oct 2004 18:49:41 -0500 (EST)
On Mon, 1 Nov 2004, Darren Reed wrote:
We were fortunate in starting with ALGs for IPv4 firewalling, because it took away so many of the issues with fragmentation, flags and segmentation- or at least relegated them to a single stack's implementation. With IPv6, I'm afraid we're going to come at it from a packet filter first approach, and that's got me worried that we're going to go through the same cycle all over again.To some extent, I think you're right... Some web resources I found quickly: http://www.terena.nl/conferences/tnc2004/core_getfile.php?file_id=323 http://www.seanconvery.com/v6-v4-threats.pdf
Thanks, I'll add those to my ever enlarging IPv6 bookmarks...
There's only one free firewall I wouldn't use for IPv6 - pf.
*cough* that won't get any response *cough* ;)
It has no ability to match (and drop) packets given the presence of IPv6 extension headers except for fragments (drops automatically), leaving you open to attack through use of routing headers (at the very least.) Maybe they don't consider this a problem, I don't know, but everyone else seems to let you filter on extension headers and the routing header is deemed to be the IPv6 equivalent of IPv4's loose source routing option and what does everyone do with that?
Well, it seems at least firewalls won't be obsoleted by v6- but that's all the good news I can see so far.
So I think there's some amount of danger in going through that cycle again if things like that can be ignored but some people are aware of these things and are documenting them and making sure people are not left in the blind about the risks, etc.
I'm just afraid that given the specs, and the "though shalt support all this foo" stuff that we're in for a cycle that includes lots of pain, kind of like IPSec originally. I've just started going through the v6ops archives[1], it's good to see that security is being raised in some of the discussions, but all the tunnel broker and routing stuff has me at least slightly worried, as does the zeroconf foo. Still, perhaps v6 will give us the chance to get folks to do egress filtering at their borders by default- maybe that's where we should be pushing firewall author's/vendor's buttons first? Paul [1] http://ops.ietf.org/lists/v6ops/ ----------------------------------------------------------------------------- Paul D. Robertson "My statements in this message are personal opinions paul () compuwar net which may have no basis whatsoever in fact." probertson () trusecure com Director of Risk Assessment TruSecure Corporation _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Re: IPv6 and firewall policies? Paul D. Robertson (Nov 01)