[ipv6hackers] thc-ipv6 v3.0, IPv6 complexity and evasions
Fernando Gont
fgont at si6networks.com
Tue Oct 20 02:47:42 CEST 2015
On 10/18/2015 02:10 AM, Mark ZZZ Smith wrote:
>>> On Sat, Oct 17, 2015 at 08:51:25AM +0200, Enno Rey wrote:
>>>> except for the IP version that kinda deprecates fragmentation,
>>>> that is IPv6.
>>>
> <snip>
>
> *because* the networks must support fragmention, it is important
> that there is RFC that is more tight on extension headers as well as
> that security products must look deeply into the packets.
>
> * I think here is the fundamentally flawed assumption or belief -
> that the network is the best and only place to do host and
> application security.
>
> From one of the inventors of network located firewalls, and from 16
> years ago,
>
> "Conventional firewalls rely on the notions of restricted topology
> and controlled entry points to function. More precisely, they rely on
> the assumption that everyone on one side of the entry point--the
> firewall--is to be trusted, and that anyone on the other side is, at
> least potentially, an enemy. The vastly expanded Internet
> connectivity in recent years has called that assumption into
> question."
>
> "Distributed Firewalls" by Steven M. Bellovin
>
> https://www.cs.columbia.edu/~smb/papers/distfw.html
My take is that things are not black or white in this respect.
Some people think that the "current" security paradigm is
network-centric, and that it will shift to host centric.
I'd argue that it has been mixed host/network-centric, and will continue
to do so.
You can find additional thoughts on firewalls here:
<https://tools.ietf.org/html/draft-gont-opsawg-firewalls-analysis-01>
Thanks!
Best regards,
--
Fernando Gont
SI6 Networks
e-mail: fgont at si6networks.com
PGP Fingerprint: 6666 31C6 D484 63B2 8FB1 E3C4 AE25 0D55 1D4E 7492
More information about the Ipv6hackers
mailing list