Firewall Wizards mailing list archives
Re: IPv6 redo;;
From: "R. DuFresne" <dufresne () sysinfo com>
Date: Fri, 17 Sep 2004 14:44:21 -0400 (EDT)
On Fri, 17 Sep 2004, Marcus J. Ranum wrote:
R. DuFresne wrote:1. how are firewalls going to deal with IPv6 addressing? Or, will IPv6 negate the need for firewalling and push everything into encryption boundries?I don't think network-level crypto is going to solve any interesting problems (and may create new ones) so it won't ever become pervasive. This is especially the case, in my opinion, because in the last few years most of the apps that "need" security have added tunnelling over SSL or other crypto as an option. The place where host-to-host crypto is attractive is between hosts that have some kind of pre-established trust relationship. I.e.: more like a VPN member than an E-commerce transaction. My guess is that the vast majority of crypto in use on the Internet today is more the transactional type in which individuals are temporarily establishing secured connections between machines that don't really "know eachother" well enough to justify establishing a full trust boundary between them. The only way I see IPv6 crypto becoming pervasive is if it's so ridiculously easy to set up and it's turned on by default, that nobody notices it's there and working. What's the likelihood of that? I guess the short form of what I just said is, "the IETF took too long, and that particular problem is being addressed in an ad hoc manner and the installed base will rule."2. icmp redirects, are they still a danger in the IPv6 realm such as they were and are in traditional TCP/IP?I'd love to know the answer to this one, too. ;) I'm comfortable assuming that there will be whole new kinds of attacks to discover. If options and features convert into vulnerabilities and opportunities for DOS at the usual rate, IPv6 is going to be a fertile playground for hackers.
I had an off list reply to this specific which stated this is still an issue in IPv6 and should be addressed as it now is in IPv4. thanks for the replies. I'm still trying to get a handle on how IPv6 will function as pertains firewalls and other security tools; point being the vast majority of firewalls are filters by nature, scoring upon IP addresses <singular and in ranges> in conjunction with ports <protocol specifics are limited to proxy firewall systems, the vast majority or products key on a port number, rather then protocol behaviour> so, I'm confused how this might work with IPv6 and the various addresses that an interface can be configured with in this way. I did a google search to see what firewalls were IPv6 complaint, with the intention of doing a second or more to see how other security devices <i.e. IDS (it's various forms) and such> faired in this area as well, but, noted that vendors seem to still be working on firewalls, let alone other products in use in IPv4 for network and systems security so stopped at that point... Another offlist reply pointed me to a SANS cert paper someone did for their cert process on how OPENBSD can do this already with ip, but, I have been unable to access the paper in question, SANS seems to have lost it... Thanks, Ron DuFresne -- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ admin & senior security consultant: sysinfo.com http://sysinfo.com "Cutting the space budget really restores my faith in humanity. It eliminates dreams, goals, and ideals and lets us get straight to the business of hate, debauchery, and self-annihilation." -- Johnny Hart testing, only testing, and damn good at it too! _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- IPv6 redo;; R. DuFresne (Sep 16)
- Message not available
- Re: IPv6 redo;; Marcus J. Ranum (Sep 17)
- Re: IPv6 redo;; R. DuFresne (Sep 17)
- Re: IPv6 redo;; Marcus J. Ranum (Sep 17)
- Message not available