Firewall Wizards mailing list archives
Re: IPv6
From: Carl Friedberg <friedberg () exs esb com>
Date: Mon, 27 Dec 2010 00:14:14 -0500
You may not be planning to think about IPV6, but the folks at Redmond have been. If you Google on IPV6 and Windows Server 2008 R2 (or Windows 7, or even Vista), you will find that the IPV6 protocol is a mandatory component of those OS, and you are told that disabling IPV6 (unbinding that protocol from an interface) makes your OS unsupported. Microsoft did not bother to test those OS with IPV6 disabled (or so they say, at this point). Of course, you may be a lucky person and not have to support current Windows OS on your network. If so, then you don't have to think about IPV6 for years. Otherwise, you better do some reading. You could start with this (a bit old): http://technet.microsoft.com/en-us/magazine/2009.07.cableguy.aspx "From Microsoft's perspective, IPv6 is a mandatory part of the Windows operating system and it is enabled and included in standard Windows service and application testing during the operating system development process. Because Windows was designed specifically with IPv6 present, Microsoft does not perform any testing to determine the effects of disabling IPv6. If IPv6 is disabled on Windows Vista, Windows Server 2008, or later versions, some components will not function. Moreover, applications that you might not think are using IPv6-such as Remote Assistance, HomeGroup, DirectAccess, and Windows Mail-could be. "Therefore, Microsoft recommends that you leave IPv6 enabled, even if you do not have an IPv6-enabled network, either native or tunneled. By leaving IPv6 enabled, you do not disable IPv6-only applications and services (for example, HomeGroup in Windows 7 and DirectAccess in Windows 7 and Windows Server 2008 R2 are IPv6-only) and your hosts can take advantage of IPv6-enhanced connectivity. " Please, FW Wizards, prove me wrong. Thanks, Carl Friedberg www.comets.com -----Original Message----- From: firewall-wizards-bounces () listserv icsalabs com [mailto:firewall-wizards-bounces () listserv icsalabs com] On Behalf Of Timothy Shea Sent: Sunday, December 26, 2010 11:23 PM To: Devdas Bhagat; Firewall Wizards Security Mailing List Subject: Re: [fw-wiz] IPv6 There is much additional complexity in IPv6 regardless of security architecture. And IPSec being "built in" is irreverent to the debate. Outside of our government contracts - not even remotely thinking about IPv6. Maybe in a few more years. t.s On Sun, Dec 26, 2010 at 2:20 PM, Devdas Bhagat <dvb () users sourceforge net> wrote: On Sun, Dec 26, 2010 at 11:56:45AM -0500, Paul D. Robertson wrote: > Is anyone doing anything interesting with v6 and firewalls? We're > supposedly coming up on the year that v6 will break out, and most > organizations I know still don't even route it. I am looking to start announcing IPv6 early next month. At this point, Linux and *BSD boxes support IPv6 in their firewall rulesets. There really shouldn't be much additional complexity with IPv6 in any good security architecture. It's just another routed protocol, with longer addresses and IPSec built in. At the beginning though, we are likely to see simple IPv6 routing with no AH/ESP. What will be infinitely more interesting will be the combinations of IPv4 to IPv6 mapping/NATing/routing which will happen. Devdas Bhagat _______________________________________________ firewall-wizards mailing list firewall-wizards () listserv icsalabs com https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards -- Tim Shea, CISSP 612-384-6810 tim () tshea net http://www.linkedin.com/in/timothyshea _______________________________________________ firewall-wizards mailing list firewall-wizards () listserv icsalabs com https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- IPv6 Paul D. Robertson (Dec 26)