Re: [fw-wiz] IPv6 support in firewalls

Date: Wed, 22 Aug 2007 12:56:27 -0700
From: Darren Reed <darrenr@xxxxxxxxxxxxxxxxx>
Subject: Re: [fw-wiz] IPv6 support in firewalls
To: Firewall Wizards Security Mailing List
Cc: "Marcus J. Ranum" <mjr@xxxxxxxxx>, dave@xxxxxxxxxxx
Message-ID: <46CC94EB.10707@xxxxxxxxxxxxxxxxx>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed

Marcus J. Ranum wrote:
It shouldn't be. Let's see - it took HOW long to even sort out the
most obvious DOS vectors in V4, which was a vastly simpler
protocol. The recent rumblings about problems in V6 indicate
that finding flaws in V6 will be a lot like hunting Passenger
Pigeons was in the 1700's: point your shotgun at the sky and
pull the trigger and several will fall at your feet.

The security problems are the same, just that some have different
names now. Loose/strict source routing options from IPv4 are
present in IPv6 under a new guise - this new costume resulted
in a few platforms shipping with processing of then enabled by
default. In IPv6 the devils are extension headers and in this case,
the routing extension header (but only type 0, so they say...)

Some of the problems are a bit different due to the increased scale. For
example, can you think of a good way to proactively scan an entire IPv6
subnet for vulnerabilities and rogue hosts? With v4 and RFC 1918, it is
barely feasible to actively scan 10/8 within a reasonable amount of time, so
v6 presents a new challenge in this respect. Basically, you have to wait
until something starts talking and then go out and scan it. Either way,
you're going to be waiting a while before you even know it's there.


Michael A Barkett, CISSP
IPS Security Engineering Director
Check Point Software Technologies
+1.240.632.9000 Fax: +1.240.747.3512

firewall-wizards mailing list