Re: IPv6 and firewall policies?

[Darren Reed <darrenr () reed wattle id au>]

In some email I received from Paul D. Robertson, sie wrote:
> On Sat, 30 Oct 2004, Darren Reed wrote:
>
> > In some email I received from Paul D. Robertson, sie wrote:
> > > Is anyone doing anything with IPv6 other than either "let it back if I
> > > talk it out," "block it completely," or "ignore it and hope it goes away?"
> >
> > I'm rather dismayed at firewalling and IPv6, even just within packet
> > filters, because there seems to be little understandng (as yet) of
> > what IPv6 does and can do, along with the security implications of
> > that.  What extension headers need to be blocked ?  What ones are
> > safe to allow ?  What are the risks with each of these ?
> >
> > Are you asking because it is within scope, asking whether or not
> > it should be included in the scope or something else ?
>
> I'm just trying to figure out where things are now and what strategies
> should be be employed from there moving forward.
>
> We were fortunate in starting with ALGs for IPv4 firewalling, because it
> took away so many of the issues with fragmentation, flags and
> segmentation- or at least relegated them to a single stack's
> implementation.  With IPv6, I'm afraid we're going to come at it from a
> packet filter first approach, and that's got me worried that we're going
> to go through the same cycle all over again.

To some extent, I think you're right...

Some web resources I found quickly:

http://www.terena.nl/conferences/tnc2004/core_getfile.php?file_id=323
http://www.seanconvery.com/v6-v4-threats.pdf

There's only one free firewall I wouldn't use for IPv6 - pf.
It has no ability to match (and drop) packets given the presence of
IPv6 extension headers except for fragments (drops automatically),
leaving you open to attack through use of routing headers (at the
very least.)  Maybe they don't consider this a problem, I don't know,
but everyone else seems to let you filter on extension headers and
the routing header is deemed to be the IPv6 equivalent of IPv4's
loose source routing option and what does everyone do with that?

So I think there's some amount of danger in going through that cycle
again if things like that can be ignored but some people are aware of
these things and are documenting them and making sure people are not
left in the blind about the risks, etc.

Darren
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards