Re: IPv6 redo;;

["R. DuFresne" <dufresne () sysinfo com>]

On Fri, 17 Sep 2004, Marcus J. Ranum wrote:

> R. DuFresne wrote:
> > 1.  how are firewalls going to deal with IPv6 addressing?  Or, will IPv6
> > negate the need for firewalling and push everything into encryption
> > boundries?
>
> I don't think network-level crypto is going to solve any
> interesting problems (and may create new ones) so it
> won't ever become pervasive. This is especially the case,
> in my opinion, because in the last few years most of the
> apps that "need" security have added tunnelling over
> SSL or other crypto as an option. The place where
> host-to-host crypto is attractive is between hosts that
> have some kind of pre-established trust relationship.
> I.e.: more like a VPN member than an E-commerce
> transaction. My guess is that the vast majority of
> crypto in use on the Internet today is more the transactional
> type in which individuals are temporarily establishing
> secured connections between machines that don't
> really "know eachother" well enough to justify establishing
> a full trust boundary between them. The only way I see
> IPv6 crypto becoming pervasive is if it's so ridiculously
> easy to set up and it's turned on by default, that nobody
> notices it's there and working. What's the likelihood of
> that?
>
> I guess the short form of what I just said is, "the IETF
> took too long, and that particular problem is being
> addressed in an ad hoc manner and the installed base
> will rule."
>
> > 2.  icmp redirects, are they still a danger in the IPv6 realm such as they
> > were and are in traditional TCP/IP?
>
> I'd love to know the answer to this one, too. ;)
> I'm comfortable assuming that there will be whole new kinds
> of attacks to discover. If options and features convert into
> vulnerabilities and opportunities for DOS at the usual rate,
> IPv6 is going to be a fertile playground for hackers.


I had an off list reply to this specific which stated this is still an
issue in IPv6 and should be addressed as it now is in IPv4.

thanks for the replies.  I'm still trying to get a handle on how IPv6 will
function as pertains firewalls and other security tools;

point being the vast majority of firewalls are filters by nature, scoring
upon IP addresses <singular and in ranges> in conjunction with ports
<protocol specifics are limited to proxy firewall systems, the vast
majority or products key on a port number, rather then protocol behaviour>
so, I'm confused how this might work with IPv6 and the various addresses
that an interface can be configured with in this way.  I did a google
search to see what firewalls were IPv6 complaint, with the intention of
doing a second or more to see how other security devices <i.e. IDS (it's
various forms) and such> faired in this area as well, but, noted that
vendors seem to still be working on firewalls, let alone other products in
use in IPv4 for network and systems security so stopped at that point...


Another offlist reply pointed me to a SANS cert paper someone did for
their cert process on how OPENBSD can do this already with ip, but, I have
been unable to access the paper in question, SANS seems to have lost it...


Thanks,

Ron DuFresne
-- 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
        admin & senior security consultant:  sysinfo.com
                        http://sysinfo.com

"Cutting the space budget really restores my faith in humanity.  It
eliminates dreams, goals, and ideals and lets us get straight to the
business of hate, debauchery, and self-annihilation."
                -- Johnny Hart

testing, only testing, and damn good at it too!

_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards