[ipv6hackers] Implications of IPv6 on network firewalls

Owen DeLong owend at he.net
Tue Nov 22 17:28:34 CET 2011


On Nov 22, 2011, at 5:57 AM, Peter Bruderer wrote:

> Hi Fernando
> 
> Maybe I'm wrong, but ...
> 
> It should be common practice to block unwanted tunnels at the firewall. 
> 
> If you officially run IPv6 inside your network, there is no need to tunnel out IPv6 through a firewall. Therefor you block UDP 3544 (Teredo) and IP protocol 41 at your firewall. Now you do not have to care about wild tunnels anymore. Real IPv6 traffic has to pass your IPv6 policy on your official IPv6 firewall.
> 

In that case, don't forget GRE (protocol 47 IIRC) as well.

> If you do not run IPv6 inside your network, then you have even less reasons to allow IPv6 tunnels through your firewall.
> 

That may depend. There may be some need inside your network for some group to gain IPv6 access, but, that should be taken on a case-by-case basis and not generally open.

> The only exception to allow a tunnel through a firewall is the situation, when you do not have static external IP addresses and you do run an AICCU tunnel or similar from a dedicated machine inside your network.
> 

Not the only, but, one of a very small number of valid situations.

Owen




More information about the Ipv6hackers mailing list