Re: [fw-wiz] IPv6 support in firewalls

It seems like an interesting topic to put my first ever post to this mailing
list, while i beleive that all firewall/IDS/IPS have prepared themselves to
combat against the IPv6 flaws, i am not surprised that china has converted
without any problems(or may be nobody has claimed yet) coz the rest of
world(mostly i mean) still reamins on IPv4 and we've yet to see the future
of IPv6.

While IPv6 autoconfiguration brings new heights of IP addressing and DHCP
functionality, it beings some serious security considerations.

The movement from IPv4 to IPv6 would not be seamless, and moving to IPv6
would not mean that IPv4 would not exist at all(i assume), the developers
have given a choice to tunnel the IPv6 in IPv4 which still remains a concen
and furure would unfold the upcoming flaws, while i hope the best for IPv6
due to the kinda investment developers has put into it, it is the destiny of
every computer network to be exploited by the world they belong to.

Sucked up Soul aka MAX

On 8/22/07, Shahin Ansari <zohal52@xxxxxxxxx> wrote:

Let me start by saying it is honor to be able to view your postings.
I have read Marcus book on security, and it has been an immense help. Now
to my point:
- How is it that ( I have heard ) Asia PAC counties like China have
converted to IPv6 already? Given all the security issues you mention ...

- Some purpose having every device support both stack, what are some of
the issues you can run into with this? CPU ?


*"Marcus J. Ranum" <mjr@xxxxxxxxx>* wrote:

Dave Piscitello wrote:
I suppose I should begin by answering "why the interest in IPv6?"
question. Simply put, we are running out of IPv4 addresses (yeah, I
know, the Sky is Falling, NAT will save us forever...). Based on current
consumption rates, some folks speculate that the remaining addresses
not yet distributed by IANA will be exhausted by 2009.

This prediction was made before, if I recall correctly. In 1994. Except
that we were going to run out, uh, in 1999. Yes, the sky is falling, but
it appears to be falling fairly slowly and gently. :)

Perhaps something better than IPv6 will still come along. You know,
like what a few of us suggested back in 1992 - namely doubling
the address size, left-filling with zeroes, and bumping the
version number? ;) Of course everyone screamed that that would
never work because the backbone routers would need gigabytes
of memory and nobody could do something crazy like that. Or
invent CIDR routing or spanning trees or any of the other network
tricks that have come up since 1992 that would have made the
idea workable, practical, and in place and functioning by now...

But, to your real point:
I'm not convinced we can even meet the
modest (that's as polite as I can be) security baseline we achieve with
IPv4 security products with available IPv6 security products. What
little I've learned in the short time I've spent asking security
companies about IPv6 support isn't encouraging.

It shouldn't be. Let's see - it took HOW long to even sort out the
most obvious DOS vectors in V4, which was a vastly simpler
protocol. The recent rumblings about problems in V6 indicate
that finding flaws in V6 will be a lot like hunting Passenger
Pigeons was in the 1700's: point your shotgun at the sky and
pull the trigger and several will fall at your feet.

It's a hell of a price to pay for bigger address spaces and
the ego-boost of the IETFniks who get to say they worked on
the next big protocol, huh?


firewall-wizards mailing list

Pinpoint customers
are looking for what you sell.

firewall-wizards mailing list

firewall-wizards mailing list