[ipv6hackers] Implications of IPv6 on network firewalls

Peter Bruderer peter.bruderer at brg.ch
Tue Nov 22 14:57:39 CET 2011


Hi Fernando

Maybe I'm wrong, but ...

It should be common practice to block unwanted tunnels at the firewall. 

If you officially run IPv6 inside your network, there is no need to tunnel out IPv6 through a firewall. Therefor you block UDP 3544 (Teredo) and IP protocol 41 at your firewall. Now you do not have to care about wild tunnels anymore. Real IPv6 traffic has to pass your IPv6 policy on your official IPv6 firewall.

If you do not run IPv6 inside your network, then you have even less reasons to allow IPv6 tunnels through your firewall.

The only exception to allow a tunnel through a firewall is the situation, when you do not have static external IP addresses and you do run an AICCU tunnel or similar from a dedicated machine inside your network.

Best
Peter Bruderer
--
Bruderer Research GmbH
CH-8200 Schaffhausen
Voice +41 52 620 26 53
peter.bruderer at brg.ch

On 21.11.2011, at 11:16, Adrian Bool wrote:

> Hi Fernando, 
> 
> 
> On Monday, 21 November 2011 at 01:20, Fernando Gont wrote:
> 
>> An article about IPv6 firewalls that I've written for Techtarget has
>> just been published. It is available here:
>> <http://searchenterprisewan.techtarget.com/tip/IPv6-firewall-security-Fixing-issues-introduced-by-the-new-protocol>
>> 
>> 
> 
> 
> 
> On the subject IPv6 extension headers...
> 
> My understanding is that there are seven extension headers defined in RFC2460, which then goes on to state,
> 
>> Each extension header should occur at most once, except for the Destination Options header which should occur at most twice.
>> 
> 
> 
> And earlier in the same RFC,
> 
>> [if] the Next Header value in the current header is unrecognized by the node, it should discard the packet and send an ICMP Parameter Problem message
>> 
> 
> 
> It therefore seems to me that a firewall should never need to process more than eight extension headers - anything more than this should be dropped and in ICMP error returned.
> 
> Have I missed anything?
> 
> Kind regards,
> 
> Adrian
Peter Bruderer
--
 Bruderer Research GmbH
 CH-8200 Schaffhausen
 Voice +41 52 620 26 53
 peter.bruderer at brg.ch





More information about the Ipv6hackers mailing list