Firewall Wizards mailing list archives
Re: IPv6 support in firewalls
From: Dave Piscitello <dave () corecom com>
Date: Wed, 22 Aug 2007 19:29:20 -0400
There are several firewall products that support IPv6 today. My initial findings from this survey suggest that the carrier/large enterprise class products are closer to fully featured and the SOHO/SMB products are less so. So you can put up a perimeter, for what that's worth.
I'm told that Asia and Europe are "ahead" in deployment of IPv6, and that Asian and European sites {sometimes, often, ...} encapsulate IPV6 in IPv4 and use IPsec tunnels for site to site. This also allows enterprises to use IPv4 security policy enforcement and to assign dwindling IPv4 addresses to public-facing servers. It's also possible to tunnel IPV4 in IPv6 (IPsecv6). I don't think this is a "conversion" as much as a conservancy effort thus far. If you don't have coal, you burn wood.
I believe that the number of servers that are IPv6 addressible and reachable is large relative to IPv5 reachable servers. You can look at name servers in most TLD zone files and find a handful that are assigned AAAA RRs.
I think we're fleshing out many issues about IPv6 deployment. Dual stack is expensive. If backbone routers are struggling with IPv4 tables, I can't imagine that adding IPV6 makes things easier for them, but I could be wrong.
Shahin Ansari wrote:
Greetings-Let me start by saying it is honor to be able to view your postings. I have read Marcus book on security, and it has been an immense help. Now to my point: - How is it that ( I have heard ) Asia PAC counties like China have converted to IPv6 already? Given all the security issues you mention ... - Some purpose having every device support both stack, what are some of the issues you can run into with this? CPU ? Regards-Sean */"Marcus J. Ranum" <mjr () ranum com>/* wrote: Dave Piscitello wrote: >I suppose I should begin by answering "why the interest in IPv6?" >question. Simply put, we are running out of IPv4 addresses (yeah, I >know, the Sky is Falling, NAT will save us forever...). Based on current > consumption rates, some folks speculate that the remaining addresses >not yet distributed by IANA will be exhausted by 2009. This prediction was made before, if I recall correctly. In 1994. Except that we were going to run out, uh, in 1999. Yes, the sky is falling, but it appears to be falling fairly slowly and gently. :) Perhaps something better than IPv6 will still come along. You know, like what a few of us suggested back in 1992 - namely doubling the address size, left-filling with zeroes, and bumping the version number? ;) Of course everyone screamed that that would never work because the backbone routers would need gigabytes of memory and nobody could do something crazy like that. Or invent CIDR routing or spanning trees or any of the other network tricks that have come up since 1992 that would have made the idea workable, practical, and in place and functioning by now... But, to your real point: > I'm not convinced we can even meet the >modest (that's as polite as I can be) security baseline we achieve with >IPv4 security products with available IPv6 security products. What >little I've learned in the short time I've spent asking security >companies about IPv6 support isn't encouraging. It shouldn't be. Let's see - it took HOW long to even sort out the most obvious DOS vectors in V4, which was a vastly simpler protocol. The recent rumblings about problems in V6 indicate that finding flaws in V6 will be a lot like hunting Passenger Pigeons was in the 1700's: point your shotgun at the sky and pull the trigger and several will fall at your feet. It's a hell of a price to pay for bigger address spaces and the ego-boost of the IETFniks who get to say they worked on the next big protocol, huh? mjr. _______________________________________________ firewall-wizards mailing list firewall-wizards () listserv icsalabs com https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards ------------------------------------------------------------------------Pinpoint customers <http://us.rd.yahoo.com/evt=48250/*http://searchmarketing.yahoo.com/arp/sponsoredsearch_v9.php?o=US2226&cmp=Yahoo&ctv=AprNI&s=Y&s2=EM&b=50>who are looking for what you sell.------------------------------------------------------------------------ _______________________________________________ firewall-wizards mailing list firewall-wizards () listserv icsalabs com https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
Attachment:
dave.vcf
Description:
_______________________________________________ firewall-wizards mailing list firewall-wizards () listserv icsalabs com https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- New to Cisco PIX/ ASA Keith A. Glass (Aug 01)
- Re: New to Cisco PIX/ ASA ArkanoiD (Aug 21)
- Re: New to Cisco PIX/ ASA Jason (Aug 22)
- CSA Question Carric Dooley (Aug 21)
- IPv6 support in firewalls Dave Piscitello (Aug 21)
- Re: IPv6 support in firewalls ArkanoiD (Aug 22)
- Re: IPv6 support in firewalls Marcus J. Ranum (Aug 22)
- Re: IPv6 support in firewalls Shahin Ansari (Aug 22)
- Re: IPv6 support in firewalls Dave Piscitello (Aug 23)
- Re: IPv6 support in firewalls Mohit Sharma (Aug 23)
- Re: IPv6 support in firewalls Marcus J. Ranum (Aug 23)
- Re: IPv6 support in firewalls Darren Reed (Aug 22)
- Message not available
- Re: IPv6 support in firewalls Darren Reed (Aug 23)
- Re: IPv6 support in firewalls Shahin Ansari (Aug 23)
- Re: New to Cisco PIX/ ASA ArkanoiD (Aug 21)
- Re: IPv6 support in firewalls Marcus J. Ranum (Aug 23)
- ***SPAM*** Re: IPv6 support in firewalls Dave Piscitello (Aug 23)
- Re: IPv6 support in firewalls Patrick M. Hausen (Aug 23)
- ***SPAM*** Re: IPv6 support in firewalls Dave Piscitello (Aug 23)
- Re: ***SPAM*** Re: IPv6 support in firewalls ArkanoiD (Aug 24)