Re: [fw-wiz] IPv6 and firewall policies?

• Previous message: Morrow: "Re: [fw-wiz] Securing a wireless network"
• In reply to: Darren Reed: "Re: [fw-wiz] IPv6 and firewall policies?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: Darren Reed <darrenr@reed.wattle.id.au>
Date: Sun, 31 Oct 2004 04:14:32 -0500 (EST)

On Sat, 30 Oct 2004, Darren Reed wrote:

> In some email I received from Paul D. Robertson, sie wrote:
> > Is anyone doing anything with IPv6 other than either "let it back if I
> > talk it out," "block it completely," or "ignore it and hope it goes away?"
>
> I'm rather dismayed at firewalling and IPv6, even just within packet
> filters, because there seems to be little understandng (as yet) of
> what IPv6 does and can do, along with the security implications of
> that. What extension headers need to be blocked ? What ones are
> safe to allow ? What are the risks with each of these ?
>
> Are you asking because it is within scope, asking whether or not
> it should be included in the scope or something else ?

I'm just trying to figure out where things are now and what strategies
should be be employed from there moving forward.

We were fortunate in starting with ALGs for IPv4 firewalling, because it
took away so many of the issues with fragmentation, flags and
segmentation- or at least relegated them to a single stack's
implementation. With IPv6, I'm afraid we're going to come at it from a
packet filter first approach, and that's got me worried that we're going
to go through the same cycle all over again.

Paul
-----------------------------------------------------------------------------
Paul D. Robertson "My statements in this message are personal opinions
paul@compuwar.net which may have no basis whatsoever in fact."
probertson@trusecure.com Director of Risk Assessment TruSecure Corporation
_______________________________________________
firewall-wizards mailing list
firewall-wizards@honor.icsalabs.com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

• Previous message: Morrow: "Re: [fw-wiz] Securing a wireless network"
• In reply to: Darren Reed: "Re: [fw-wiz] IPv6 and firewall policies?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages Re: [fw-wiz] IPv6 and firewall policies? ... I'm rather dismayed at firewalling and IPv6, ... filters, because there seems to be little understandng of ... Are you asking because it is within scope, ... (Firewall-Wizards) RE: Transfer a sending packet to upper TCP/IP protocol layer in IM ... If the IPv6 address can be resolved, ... When I indicate the packet to upper tcpip stack, I'll prepend IPv4 header ... The proper way to do this is to add your IPv4 header, ... (microsoft.public.development.device.drivers) RE: Transfer a sending packet to upper TCP/IP protocol layer in IM ... source and destination MAC addresses are the same for both IP versions. ... the destination NIC of IPv6 packet is the same as the destination NIC of my ... encapped IPv4 packet. ... (microsoft.public.development.device.drivers) RE: Transfer a sending packet to upper TCP/IP protocol layer in IM ... destination IPv4 address and the original MAC header was built for original ... IPv6 destination IPv6 address. ... The original MAC header is INVALID because my IM driver will assign a new ... After prepending IPv4 header and UDP header to the original IPv6 packet, ... (microsoft.public.development.device.drivers) RE: Transfer a sending packet to upper TCP/IP protocol layer in IM ... I suggest you look at the IPv6 gateway standards RFCs if you're interested. ... How is he going to get IPv4 address, ... the destination NIC of IPv6 packet is the same as the destination NIC of my ... was assuming that tcpip stack can rebuild the L2 header for the encapped IPv4 ... (microsoft.public.development.device.drivers)