Re: [fw-wiz] IPv6 support in firewalls



Hi, wizards,

On Thu, Aug 23, 2007 at 02:42:03PM -0400, Dave Piscitello wrote:
Marcus, a proposal nearly identical to what you suggest was one of the first
presented at the IETF in the mid-1990s. At the time, the intelligentiaTF
poo-pooed it as not being sufficiently forward-looking and innovative. It
didn't consider 64-bit alignment. It didn't *fix* options. It didn't *fix*
QOS. It didn't accommodate IP security in a "native" manner.

Happily, time wounds all heels. Over a decade later, and we've bent,
twisted, tunneled, re-mapped, stretched, and NAT'd IPv4 until it does
everything IPv6 promised - and now, all IPv6 brings to the table is a bigger
field for addresses and an ungainly, unwanted and arguably unwarrantable
transition scenario.

IPv6 brings back the end-to-end principle and NAT its well-deserved
death. This alone should be enough reason to go for it.

And I don't see what should be paticularly more difficult to
implement in an IPv6 based application level gateway than in
an IPv4 based one. Terminate both connections in a proxy process
instead of messing with headers. Simple and effective.

OK, honestly, I cannot write an "IPv6" firewall on a jug of beer
and I don't claim I could. But some vendors got it mostly right
for IPv4 simply by using transparent proxy processes instead
of "deep adaptive whatever inspection".

And a TCP connection carrying HTTP is a TCP connection carrying
HTTP regardless of the layer 3 protocol. I expect the few remaining
ALG vendors to be the first to have proper IPv6 capable solutions
for this simple architectural reason.

Kind regards,
Patrick M. Hausen
Leiter Netzwerke und Sicherheit
--
punkt.de GmbH * Vorholzstr. 25 * 76137 Karlsruhe
Tel. 0721 9109 0 * Fax 0721 9109 100
info@xxxxxxxx http://www.punkt.de
Gf: Jürgen Egeling AG Mannheim 108285
_______________________________________________
firewall-wizards mailing list
firewall-wizards@xxxxxxxxxxxxxxxxxxxxx
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards



Relevant Pages

  • RE: Transfer a sending packet to upper TCP/IP protocol layer in IM
    ... He's building a gateway across an IPV4 segment. ... AFAIK, all systems that support IPv6 provide this feature anyway, so that I ... the destination NIC of IPv6 packet is the same as the destination NIC of my ... was assuming that tcpip stack can rebuild the L2 header for the encapped IPv4 ...
    (microsoft.public.development.device.drivers)
  • RE: Transfer a sending packet to upper TCP/IP protocol layer in IM
    ... I suggest you look at the IPv6 gateway standards RFCs if you're interested. ... How is he going to get IPv4 address, ... the destination NIC of IPv6 packet is the same as the destination NIC of my ... was assuming that tcpip stack can rebuild the L2 header for the encapped IPv4 ...
    (microsoft.public.development.device.drivers)
  • Re: AAISP?
    ... Premium packages, and considering Max 1 Premium - depending on the ... nothing about IPv6, except that I'd end up with a /48 block if I ... I'd probably settle for setting up a PPPoE forward on my current router ... would I still be able to use the IPv4 ...
    (uk.telecom.broadband)
  • Re: Fast downloads, slow browsing
    ... That article shows you what a normal IPV4 configuration should look like. ... With Windows XP, Microsoft added IPV6, which is more complex and offers much ... Your computer, and the subnet created by the router, appears to be on ... problem was a defective modem. ...
    (microsoft.public.windowsxp.network_web)
  • AAISP?
    ... IPv6 connections available, which is something I would really like to ... nothing about IPv6, except that I'd end up with a /48 block if I ... Currently my router only supports IPv4. ... would I still be able to use the IPv4 ...
    (uk.telecom.broadband)