[ipv6hackers] the end is near (or for IPv6: the beginning)

Wed Jan 15 19:35:24 CET 2014

This is my personal opinion and not necessarily one shared with my company.

IPv4 stateful firewalls have a heavy reliance on NAT functionality as a means of resolving asymmetric routing issues that would otherwise be problematic in otherwise multipath routing environments.  Proxy devices resolve asymmetry as a natural result of explicit proxy functions.  As IPv6 migration accelerates, and the adoption of native IPv6 addressing down to endpoints becomes predominant, we will begin to see interesting issues arise:

- A sharp rise in asymmetry issues with stateful firewalls in multipath environments
- An increase in direct attacks against IPv6 endpoints, due to the removal of the NAT boundary
- A strong effort to deploy NAT66 (RFC 6296) for use in FW/CGN boundaries
- A resurgence of proxy-based security
- The need to resolve asymmetry will be is exacerbated by the deployment of IPv6 anycast services

With the recent allegations that the NSA TAO has compromised a number of commercial stateful firewall systems, I would think that more intelligent organizations will be reconsidering their network security strategies in their migration plans to IPv6

Ed

On Jan 4, 2014, at 12:29 PM, Jens Link <lists at quux.de<mailto:lists at quux.de>> wrote:

Marc Heuse <mh at mh-sec.de<mailto:mh at mh-sec.de>> writes:

Expect everyone in the USA to be totally surprised when this happens
(like every year in Chicago in Winter when it starts snowing)  ;-)

Or Windows XP support running out. ;-)

Jens
--
----------------------------------------------------------------------------
| Foelderichstr. 40   | 13595 Berlin, Germany           | +49-151-18721264 |
| http://blog.quux.de | jabber: jenslink at jabber.quux.de<mailto:jenslink at jabber.quux.de> | ---------------  |
----------------------------------------------------------------------------
_______________________________________________
Ipv6hackers mailing list
Ipv6hackers at lists.si6networks.com<mailto:Ipv6hackers at lists.si6networks.com>
http://lists.si6networks.com/listinfo/ipv6hackers

***  Please note that this message and any attachments may contain confidential 
and proprietary material and information and are intended only for the use of 
the intended recipient(s). If you are not the intended recipient, you are hereby 
notified that any review, use, disclosure, dissemination, distribution or copying 
of this message and any attachments is strictly prohibited. If you have received 
this email in error, please immediately notify the sender and destroy this e-mail 
and any attachments and all copies, whether electronic or printed.
Please also note that any views, opinions, conclusions or commitments expressed 
in this message are those of the individual sender and do not necessarily reflect 
the views of Fortinet, Inc., its affiliates, and emails are not binding on 
Fortinet and only a writing manually signed by Fortinet's General Counsel can be 
a binding commitment of Fortinet to Fortinet's customers or partners. Thank you. ***