Firewall Wizards mailing list archives
Re: IPv6 support in firewalls
From: "Steven M. Bellovin" <smb () cs columbia edu>
Date: Thu, 23 Aug 2007 16:52:05 -0400
On Wed, 22 Aug 2007 20:02:05 -0400 "Mike Barkett" <mbarkett () us checkpoint com> wrote:
Some of the problems are a bit different due to the increased scale. For example, can you think of a good way to proactively scan an entire IPv6 subnet for vulnerabilities and rogue hosts? With v4 and RFC 1918, it is barely feasible to actively scan 10/8 within a reasonable amount of time, so v6 presents a new challenge in this respect. Basically, you have to wait until something starts talking and then go out and scan it. Either way, you're going to be waiting a while before you even know it's there.
I don't think the problem is that bad, though some extra logging may need to be added to routers. You can always send broadcast pings on each LAN, monitor switch and router MAC address tables, etc. These are things that are relatively easy for good guys to do. See http://www.cs.columbia.edu/~smb/papers/v6worms.pdf for how the bad guys can do it. --Steve Bellovin, http://www.cs.columbia.edu/~smb _______________________________________________ firewall-wizards mailing list firewall-wizards () listserv icsalabs com https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Re: IPv6 support in firewalls Mike Barkett (Aug 23)
- Re: IPv6 support in firewalls Steven M. Bellovin (Aug 23)
- Re: IPv6 support in firewalls Marcus J. Ranum (Aug 24)
- Re: IPv6 support in firewalls Steven M. Bellovin (Aug 24)
- Re: IPv6 support in firewalls Marcus J. Ranum (Aug 24)
- <Possible follow-ups>
- Re: IPv6 support in firewalls Roger Marquis (Aug 27)
- Re: IPv6 support in firewalls Jim Seymour (Aug 29)
- Re: IPv6 support in firewalls Steven M. Bellovin (Aug 23)