Re: [fw-wiz] IPv6

You may not be planning to think about IPV6, but the folks at Redmond have been. If you Google on IPV6 and Windows Server 2008 R2 (or Windows 7, or even Vista), you will find that the IPV6 protocol is a mandatory component of those OS, and you are told that disabling IPV6 (unbinding that protocol from an interface) makes your OS unsupported. Microsoft did not bother to test those OS with IPV6 disabled (or so they say, at this point).

Of course, you may be a lucky person and not have to support current Windows OS on your network. If so, then you don't have to think about IPV6 for years. Otherwise, you better do some reading. You could start with this (a bit old):

"From Microsoft's perspective, IPv6 is a mandatory part of the Windows operating system and it is enabled and included in standard Windows service and application testing during the operating system development process. Because Windows was designed specifically with IPv6 present, Microsoft does not perform any testing to determine the effects of disabling IPv6. If IPv6 is disabled on Windows Vista, Windows Server 2008, or later versions, some components will not function. Moreover, applications that you might not think are using IPv6-such as Remote Assistance, HomeGroup, DirectAccess, and Windows Mail-could be.

"Therefore, Microsoft recommends that you leave IPv6 enabled, even if you do not have an IPv6-enabled network, either native or tunneled. By leaving IPv6 enabled, you do not disable IPv6-only applications and services (for example, HomeGroup in Windows 7 and DirectAccess in Windows 7 and Windows Server 2008 R2 are IPv6-only) and your hosts can take advantage of IPv6-enhanced connectivity. "

Please, FW Wizards, prove me wrong. Thanks,

Carl Friedberg

-----Original Message-----
From: firewall-wizards-bounces@xxxxxxxxxxxxxxxxxxxxx [mailto:firewall-wizards-bounces@xxxxxxxxxxxxxxxxxxxxx] On Behalf Of Timothy Shea
Sent: Sunday, December 26, 2010 11:23 PM
To: Devdas Bhagat; Firewall Wizards Security Mailing List
Subject: Re: [fw-wiz] IPv6

There is much additional complexity in IPv6 regardless of security architecture. And IPSec being "built in" is irreverent to the debate.

Outside of our government contracts - not even remotely thinking about IPv6. Maybe in a few more years.


On Sun, Dec 26, 2010 at 2:20 PM, Devdas Bhagat <dvb@xxxxxxxxxxxxxxxxxxxxx> wrote:

On Sun, Dec 26, 2010 at 11:56:45AM -0500, Paul D. Robertson wrote:

> Is anyone doing anything interesting with v6 and firewalls? We're
> supposedly coming up on the year that v6 will break out, and most
> organizations I know still don't even route it.

I am looking to start announcing IPv6 early next month. At this point,
Linux and *BSD boxes support IPv6 in their firewall rulesets.

There really shouldn't be much additional complexity with IPv6 in
any good security architecture. It's just another routed protocol,
with longer addresses and IPSec built in.

At the beginning though, we are likely to see simple IPv6 routing
with no AH/ESP.

What will be infinitely more interesting will be the combinations
of IPv4 to IPv6 mapping/NATing/routing which will happen.

Devdas Bhagat

firewall-wizards mailing list

Tim Shea, CISSP

firewall-wizards mailing list

Relevant Pages

    ... BGP ... BGP 4 Multipath Support ... IPv6 Access Services: AAA Support for Cisco VSA IPv6 Attributes ... OSPF ABR type 3 LSA Filtering ...
  • [PATCH 549] M68k: Update defconfigs for 2.6.12-rc2
    ... +# Linux kernel version: 2.6.12-rc2-m68k ... # Fusion MPT device support ... -# IPv6: Netfilter Configuration ...
  • Re: Comcast has IPv6, when will Debian?
    ... > large ISPs now support IPv6, when will Debian beyond the kernel? ... I'm not on comcast, but that makes me want to switch. ... the Internet is kind of pitiful in that regard. ...
  • Re: Future of pf / firewall in FreeBSD ? - does it have one ?
    ... each of our packet filters will need nat66 support too. ... Bjoern: What IPv6 stuff does our pf not do well? ... different queueing and fragment handling implementations we need in the ...
  • Re: [opensuse] Moving to IPv6
    ... I am currently using PPPoE but I think my provider will force everybody to ... NAT as they already declared. ... support for those who did not completely remove IPv6 support from their OS. ...