Re: [fw-wiz] IPv6 and IPSec

From: Paul D. Robertson (paul_at_compuwar.net)
Date: 08/30/04

  • Next message: Paul D. Robertson: "Re: [fw-wiz] VPN endpoints" 
    To: "Michael H. Warfield" <mhw@wittsend.com>
Date: Mon, 30 Aug 2004 08:00:02 -0400 (EDT)

    On Sun, 29 Aug 2004, Michael H. Warfield wrote:

    > Hey all,

    Hi Mike, that's for such a comprehensive reply!

    > > > Hi,
    > > > IPSec based security is MUST for IPv6. Due to this, I would
    > > > assume that end systems would use IPSec to secure the traffic
    > > > going out.
    >
    > > Why? It's not a must for IPv4, why would adding address space suddenly
    > > require IPSec? Heck, the cascading headers for V6 offer the chance for
    > > pseudo-out-of-band control and encapsulation, why again would you use
    > > IPSec?
    >
    > It's a missinterpretation of the specs and the requirements.

    Ah- that makes sense-

    [snip]

    > IPv6 is VASTLY more interesting that this... There are lots
    > of things that are interesting (both in the good sense and the bad
    > sense) about IPv6 and security. Consider "privacy enhanced addresses".
    > Now, as a system administrator, how are you going to track down a virus
    > infected system that changes it's address every half hour with no audit
    > trail?

    This is something I need to read up on, I don't recall it being around
    when I last looked, but perhaps I simply overlooked it... I was more
    interested in using the encapsulating headers to rope off control and
    provide transit a layer or two deep and add some separation for different
    populations - all problems I no longer have directly.

    > I restrict ssh to IPv6 only (hell, it's virtually unscannable and
    > has no broadcast address and is reachable from anywhere I am on IPv4, why
    > not...). Some of my external servers, the ssh listens only on certain
    > IPv6 addresses. And those addresses change every 15 minutes. A new address
    > is added every 15 minutes and the dns is updated (w/ TSIG). Each address
    > is valid for 2 hours (to allow for DNS TTL). After that time, it's
    > deprecated. When a deprecated address no longer has a resource (socket)
    > attached to it, it ceases to exist on the machine. Every IPv4 address
    > has an entire IPv6 NETWORK (65,536 subnets each containing 16 billion
    > billion host addresses). I have yet to find anywhere on the entire
    > internet where IPv6 does not work (private address space or global address
    > space), and it works well. I can reach all my IPv6 stuff from anywhere
    > on IPv4. Why leave it expose and vulnerable (to scanning and probes) on
    > IPv4? Even my virtual web server farm has web services on IPv4 but all
    > the security stuff is tightly marshalled over IPv6.

    Won't the 4<->6 gateway be vulnerable anyway? In a mixed environment, it
    seems that you'd be stuck with the v4 problems until the environment isn't
    so mixed anymore.

    > How do you scan for backdoors, when the intruder adds his own
    > unique address (hell, you can add IPv6 to XP without even rebooting the
    > damn thing and you have to reboot Linux to disable it) amongst
    > 16 billion-billion possible addresses on that wire? How do you deal
    > with bot-nets, were every bot is given a unique contact addresses and
    > the server has has thousands of addresses added without having to ask
    > anyone?

    Have you seen any botnets using v6 in the wild? I assume that you still
    need some sort of v4<->v6 gateway for most leaf nodes these days, so the
    traffic will still come down to a v4 address until everyone routes v6
    directly.

    > > Want to check out something really NASTY, check out Teredo.
    > That's IPv6 over UDP. A buddy at MS refers to this as the "Evil
    > Firewall Destroying Deamon from Hell". Do you worry about UDP traffic
    > over port 3544? Should you be? Some people have already found out,
    > to their regret, that they should be.

    Tunnels have always been an issue for protected networks. It's one of the
    reasons that I wouldn't allow anything that wasn't proxied when I was
    running operational user networks. From there, you normally just need to
    do utilization reporting to detect whole-network tunnels, though traffic
    inspection at some point becomes necessary once the tunnel thresholds go
    under normal usage.

    > IPv6 has LOTS of security implications. They're just not obvious.
    > And a lot of people (particulary in North America) have their heads in the
    > sands vis-a-vis IPv6. At many of my talks, I've had people walk up to
    > me later and tell me that they've been seeing this strange traffic on
    > their network for ages, they just didn't know what it was. And now they
    > know, and now they need to figure all this out... IPv6 arrived several
    > years ago and anyone who thinks they don't have IPv6 just doesn't know
    > that they have it already, and that they don't control it, and that it's
    > uniformly routable, and that it's globally addressible (whether their IPv4
    > addresses are globally addressible or not).

    Hmmm, but won't the default deny access lists on my border stop it unless
    I specifically allow IPv6 in? It seems to me that if I'm doing all the
    right things[1], my exposure should be tunnels and mistakes. Tunnels are
    an issue with IPv6 as well, though blocking v6 DNS does seem like a
    reasonable bit of defense in depth if I'm not quite ready to deal with the
    other issues.

    >
    > But... Back on the original topic... IPSec is not required
    > to use IPv6. It's only required by implimentations to be supported in
    > order to be "IPv6 compliant". Use it if you wish, or don't use it if
    > you wish. You don't have to support IPSec to be IPv4 compliant, but you
    > do have to support it for IPv6. Outside of just supporting it, it's
    > the same as it ever was.
    >
    > OTOH... IPSec CAN be REALLY usefull in supporting IPv6! My
    > laptop has over a dozen different ways of connecting to IPv6 no matter
    > where I am in the world. If I can pull a native prefix, great. If not,
    > I can go 6to4 or 6over4, no problem. If that doesn't work, my next fall
    > back is IPSec on IPv4 (to tunnel my IPv6 stuff over a VPN) and IPSec NAT-T
    > (IPSec over UDP port 4500) next. If those fail, then I start resorting
    > to things like PPP over stunnel or PPP over ssh (both of which have been
    > tested). Beyond that, there are even more access methods that I've never
    > tested because I've never run into a circumstance where none of the above
    > didn't work. In most corporate environment with really strict rules,
    > IPSec NAT-T (forcing NAT-T even when not cross a NAT) works like a champ.
    > Have never been force to resort to things like CCTT, even though they
    > are there and ready if I ever find anything that gets in the way of what
    > I normally use. IPSec (particulary NAT-T) is a great firewall bypass tool.
    > Ya don't need to run IPSec on IPv6 when you are already tunnelling IPv6
    > over IPSec. :-)
    >

    Dammit, I don't have _time_ to play... But now you're gonna make me...

    Paul
    -----------------------------------------------------------------------------
    Paul D. Robertson "My statements in this message are personal opinions
    paul@compuwar.net which may have no basis whatsoever in fact."
    probertson@trusecure.com Director of Risk Assessment TruSecure Corporation
    _______________________________________________
    firewall-wizards mailing list
    firewall-wizards@honor.icsalabs.com
    http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

  • Next message: Paul D. Robertson: "Re: [fw-wiz] VPN endpoints"

    Relevant Pages