Re: IPv6 support in firewalls

["Marcus J. Ranum" <mjr () ranum com>]

Shahin Ansari wrote:
> -  How is it that ( I have heard ) Asia PAC counties like China have converted to IPv6 already?  Given all the 
> security issues you mention ...

There will be interesting times for early adopters. That's what usually
happens. Right now the IPV4 target space is so rich that the attackers
have not set their sights on IPV6. Just wait. Remember - IPV4 got a
10 year grace period, too, until it became predominant. Once it became
widely enough used to represent a big target, then it was feeding time.
IPV6 will be BOHICA for sure.

IPV6 has got a lot of complexity and was designed by a committee. I
guess that's a redundant statement but, well... You get the idea.

> -  Some purpose having every device support both stack, what are some of the issues you can run into with this?  CPU 
> ? 

There are all kinds of potential problems. For one thing, you have
multiple stacks and multiple addresses. Now, it's not just a
matter of firewalling off a single network interface - now, "what
is a network interface?" is a more sensible question. Are
there potentials for screwing up a system by bouncing traffic
from one interface to another? We saw that with IPV4 loopback
devices.. And, there's always the code bloat. "Hey, just stick
it in the kernel! After all, we've already linked the kitchen sink
in there! Let's stick a whole 'nother network stack in there
in case some hacker wants to enable it and tunnel traffic
out..."

mjr. 

_______________________________________________
firewall-wizards mailing list
firewall-wizards () listserv icsalabs com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards