Firewall Wizards mailing list archives

Re: IPv6 support in firewalls

From: "Steven M. Bellovin" <smb () cs columbia edu>
Date: Thu, 23 Aug 2007 16:52:05 -0400

On Wed, 22 Aug 2007 20:02:05 -0400
"Mike Barkett" <mbarkett () us checkpoint com> wrote:

Some of the problems are a bit different due to the increased scale.
For example, can you think of a good way to proactively scan an
entire IPv6 subnet for vulnerabilities and rogue hosts?  With v4 and
RFC 1918, it is barely feasible to actively scan 10/8 within a
reasonable amount of time, so v6 presents a new challenge in this
respect.  Basically, you have to wait until something starts talking
and then go out and scan it.  Either way, you're going to be waiting
a while before you even know it's there.


I don't think the problem is that bad, though some extra logging may
need to be added to routers.  You can always send broadcast pings on
each LAN, monitor switch and router MAC address tables, etc.  These are
things that are relatively easy for good guys to do.  See
http://www.cs.columbia.edu/~smb/papers/v6worms.pdf for how the bad guys
can do it.


                --Steve Bellovin, http://www.cs.columbia.edu/~smb
_______________________________________________
firewall-wizards mailing list
firewall-wizards () listserv icsalabs com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards

Current thread:

Re: IPv6 support in firewalls Mike Barkett (Aug 23)
- Re: IPv6 support in firewalls Steven M. Bellovin (Aug 23)
  - Re: IPv6 support in firewalls Marcus J. Ranum (Aug 24)
    - Re: IPv6 support in firewalls Steven M. Bellovin (Aug 24)
- <Possible follow-ups>
- Re: IPv6 support in firewalls Roger Marquis (Aug 27)
- Re: IPv6 support in firewalls Jim Seymour (Aug 29)