[ipv6hackers] Implications of IPv6 on network firewalls

Fernando Gont fgont at si6networks.com
Thu Nov 24 23:38:05 CET 2011 

On 11/24/2011 02:31 PM, Owen DeLong wrote:
>> I don't think extension headers other than "Fragment Header" are needed
>> for basic functionality. Regarding use of HBH extension headers for MLD,
>> they are only needed if:
>>
> I guess that depends on your definition of basic functionality.
> 
> In IPv6, IPSEC is implemented in extension headers. I would consider that
> basic functionality.

I consider "basic functionality" that which parallels what we currently
do with IPv4.



>> a) Your local network is supported by an MLD-snooping switch, or,
>> b) You're using "global" multicast (as opposed to link-local multicast)
> 
> Both of which I would consider basic functionality in IPv6.

Is your assessment that most networks have deployed e.g. multicast
routing protocols?


>> When it comes to "a", *if* you wanted, you could disable the
>> MLD-snooping functionality (your switch might not even support it, anyway).
> 
> You could, but, then you lose the advantages that come from MLD snooping
> and I don't think that would be desirable, especially when combined with b).

*My* recommendation is to run MLDv1 (as opposed to MLDv2), and *not* to
disable MLD completely. (FWIW, the node requirements RFC does not even
mandate MLDv2, but a lightwight version of it).



>> "b" is not the case for most networks.
> 
> It may not be the case for many networks today, but, I certainly hope that will
> change going forward in IPv6. Especially when you consider that case b isn't
> limited to global multicast. It's actually applicable to any multicast scope
> larger than link. (Multicast address ≥ff02::/16).

My take is that if you have an application that needs it, deploy it. If
not, don't.


>> So my advice would be that, rather than disabling MLD completely, you
>> use MLDv1 (instead of MLDv2), and use MLDv2 only if you're expecting to
>> use non-local multicast.
> 
> My advice is that most people should be expecting to use non-local multicast
> in their futures.

Yep, but usually you don't want to get hacked today for what you might
be using in the future. That said, I argued in favor of MLDv1 (as
opposed to MLDv2), and did *not* argue in favor of disabling MLD completely.

Thanks,
-- 
Fernando Gont
SI6 Networks
e-mail: fgont at si6networks.com
PGP Fingerprint: 6666 31C6 D484 63B2 8FB1 E3C4 AE25 0D55 1D4E 7492

More information about the Ipv6hackers mailing list