On 2011-09-12 17:55, Michael Newbery wrote:
On 12/9/11 1:41 PM, "Donald Clark"
wrote: All
In the piece of work I'm doing for the IPv6 TaskForce, a recurrent theme has been problems around firewalling / security in general with IPv6. This has raised its head in three variations:
1 - my kit doesn't support it / well 2 - I don't know what v6 policies to turn on, or off / how should I setup rules by range 3 - we don't have any v6 rules (but it may be turned on by default)
Does anyone have any examples of attacks, exposures, policy challenges around v6?
Cheers DC
Well, there is the NIST document, "Guidelines for the Secure Deployment of IPv6"
I have reservations about this document, but it is probably a useful starting point. At least it gets them on the way to understanding what they don't know.
Except that it basically says "block all tunnels unconditionally" which is one of the major operational problems for people whose corporate network doesn't support IPv6. That's a black mark against the NIST, and equivalent US DoD, documents. Brian
Another approach I think might be useful from conversations I've had is in pointing out a few headline adjustments they need to make in their thinking. (Note the statements are somewhat dogmatic, by design. Think of them as IPv6 Koans: mental tools to create a right world-view)
* NAT does not exist. If your application requires NAT (e.g. load balancing) it's broken under IPv6. There is no workaround. This is a feature. NAT is gone. [I found this probably the biggest mind-blow for some people]
* ICMP is not optional. Blocking ICMPv4 indiscriminately was always a bad idea, now it's a terminal idea.
* ARP is gone.
* Multicast is not optional
* An interface WILL have multiple IPv6 addresses
* DHCP is optional. If you think you need DHCP, then re-evaluate very, very carefully.
* That best practice of providing reverse DNS entries for all possible addresses on your LAN? Not possible. Gone.
* Reverse DNS as a way of encoding useful information is probably not very useful anymore. Find a better way.
* Address scanning your own LAN to find things? Yeah, no.