[ipv6hackers] thc-ipv6 v3.0, IPv6 complexity and evasions

Fernando Gont fgont at si6networks.com
Tue Oct 20 02:47:42 CEST 2015

On 10/18/2015 02:10 AM, Mark ZZZ Smith wrote:
>>> On Sat, Oct 17, 2015 at 08:51:25AM +0200, Enno Rey wrote:
>>>> except for the IP version that kinda deprecates fragmentation,
>>>> that is IPv6.
> <snip>
> *because* the networks must support fragmention, it is important
> that there is RFC that is more tight on extension headers as well as
> that security products must look deeply into the packets.
> * I think here is the fundamentally flawed assumption or belief -
> that the network is the best and only place to do host and
> application security.
> From one of the inventors of network located firewalls, and from 16
> years ago,
> "Conventional firewalls rely on the notions of restricted topology
> and controlled entry points to function. More precisely, they rely on
> the assumption that everyone on one side of the entry point--the
> firewall--is to be trusted, and that anyone on the other side is, at
> least potentially, an enemy. The vastly expanded Internet
> connectivity in recent years has called that assumption into
> question."
> "Distributed Firewalls" by Steven M. Bellovin
> https://www.cs.columbia.edu/~smb/papers/distfw.html

My take is that things are not black or white in this respect.

Some people think that the "current" security paradigm is
network-centric, and that it will shift to host centric.

I'd argue that it has been mixed host/network-centric, and will continue
to do so.

You can find additional thoughts on firewalls here:


Best regards,
Fernando Gont
SI6 Networks
e-mail: fgont at si6networks.com
PGP Fingerprint: 6666 31C6 D484 63B2 8FB1 E3C4 AE25 0D55 1D4E 7492

More information about the Ipv6hackers mailing list