firewall-wizards@listserv.icsalabs.com
To subscribe or unsubscribe via the World Wide Web, visit
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
or, via email, send a message with subject or body 'help' to
firewall-wizards-request@listserv.icsalabs.com
You can reach the person managing the list at
firewall-wizards-owner@listserv.icsalabs.com
When replying, please edit your Subject line so it is more specific
than "Re: Contents of firewall-wizards digest..."
Today's Topics:
1. Re: IPv6 support in firewalls (Mike Barkett)
2. Re: IPv6 support in firewalls (Marcus J. Ranum)
3. Re: IPv6 support in firewalls (Marcus J. Ranum)
4. Re: IPv6 support in firewalls (Paul Melson)
5. ***SPAM*** Re: IPv6 support in firewalls (Dave Piscitello)
6. Re: IPv6 support in firewalls (Shahin Ansari)
----------------------------------------------------------------------
Message: 1
Date: Wed, 22 Aug 2007 20:02:05 -0400
From: "Mike Barkett" <mbarkett@us.checkpoint.com>
Subject: Re: [fw-wiz] IPv6 support in firewalls
To: <firewall-wizards@listserv.cybertrust.com>
Message-ID: <006001c7e518$d8f81020$64c7630a@MAB43p>
Content-Type: text/plain; charset="us-ascii"
> Date: Wed, 22 Aug 2007 12:56:27 -0700
> From: Darren Reed <darrenr@reed.wattle.id.au>
> Subject: Re: [fw-wiz] IPv6 support in firewalls
> To: Firewall Wizards Security Mailing List
> <firewall-wizards@listserv.cybertrust.com>
> Cc: "Marcus J. Ranum" <mjr@ranum.com>, dave@corecom.com
> Message-ID: <46CC94EB.10707@reed.wattle.id.au>
> Content-Type: text/plain; charset=ISO-8859-1; format=flowed
>
> Marcus J. Ranum wrote:
> > It shouldn't be. Let's see - it took HOW long to even sort out the
> > most obvious DOS vectors in V4, which was a vastly simpler
> > protocol. The recent rumblings about problems in V6 indicate
> > that finding flaws in V6 will be a lot like hunting Passenger
> > Pigeons was in the 1700's: point your shotgun at the sky and
> > pull the trigger and several will fall at your feet.
> >
>
> The security problems are the same, just that some have different
> names now. Loose/strict source routing options from IPv4 are
> present in IPv6 under a new guise - this new costume resulted
> in a few platforms shipping with processing of then enabled by
> default. In IPv6 the devils are extension headers and in this case,
> the routing extension header (but only type 0, so they say...)
> Darren
>
Some of the problems are a bit different due to the increased scale. For
example, can you think of a good way to proactively scan an entire IPv6
subnet for vulnerabilities and rogue hosts? With v4 and RFC 1918, it is
barely feasible to actively scan 10/8 within a reasonable amount of time, so
v6 presents a new challenge in this respect. Basically, you have to wait
until something starts talking and then go out and scan it. Either way,
you're going to be waiting a while before you even know it's there.
-MAB
--
Michael A Barkett, CISSP
IPS Security Engineering Director
Check Point Software Technologies
+1.240.632.9000 Fax: +1.240.747.3512
------------------------------
Message: 2
Date: Wed, 22 Aug 2007 21:17:11 -0400
From: "Marcus J. Ranum" <mjr@ranum.com>
Subject: Re: [fw-wiz] IPv6 support in firewalls
To: Firewall Wizards Security Mailing List
<firewall-wizards@listserv.icsalabs.com>, Firewall Wizards Security
Mailing List <firewall-wizards@listserv.icsalabs.com>
Message-ID: <6.2.0.14.2.20070822194801.04db68b0@ranum.com>
Content-Type: text/plain; charset="us-ascii"
Shahin Ansari wrote:
>- How is it that ( I have heard ) Asia PAC counties like China have converted to IPv6 already? Given all the security issues you mention ...
There will be interesting times for early adopters. That's what usually
happens. Right now the IPV4 target space is so rich that the attackers
have not set their sights on IPV6. Just wait. Remember - IPV4 got a
10 year grace period, too, until it became predominant. Once it became
widely enough used to represent a big target, then it was feeding time.
IPV6 will be BOHICA for sure.
IPV6 has got a lot of complexity and was designed by a committee. I
guess that's a redundant statement but, well... You get the idea.
> - Some purpose having every device support both stack, what are some of the issues you can run into with this? CPU ?
There are all kinds of potential problems. For one thing, you have
multiple stacks and multiple addresses. Now, it's not just a
matter of firewalling off a single network interface - now, "what
is a network interface?" is a more sensible question. Are
there potentials for screwing up a system by bouncing traffic
from one interface to another? We saw that with IPV4 loopback
devices.. And, there's always the code bloat. "Hey, just stick
it in the kernel! After all, we've already linked the kitchen sink
in there! Let's stick a whole 'nother network stack in there
in case some hacker wants to enable it and tunnel traffic
out..."
mjr.
------------------------------
Message: 3
Date: Wed, 22 Aug 2007 21:33:22 -0400
From: "Marcus J. Ranum" <mjr@ranum.com>
Subject: Re: [fw-wiz] IPv6 support in firewalls
To: darrenr@reed.wattle.id.au, Firewall Wizards Security Mailing List
<firewall-wizards@listserv.icsalabs.com>, Firewall Wizards Security
Mailing List <firewall-wizards@listserv.cybertrust.com>
Cc: dave@corecom.com
Message-ID: <6.2.0.14.2.20070822212659.050ed7a8@ranum.com>
Content-Type: text/plain; charset="us-ascii"
Darren Reed wrote:
>The only way that they can plan to do this is by specifying
>that IPv6 is used - there is no other alternative.
That's because nobody's looking for one. So IPV6 becomes
both the question and the answer.
This is remarkably familiar for those of us who survived
the early days of the OSI wars. There was no alternative to
OSI, either. Except for the simple little protocol that
just worked.
Left fill with zeroes, bump the version number, double the
address space size, and let 'er rip. Sure, there'd be some
details to sort out, but in terms of the complexity of
cutting over to IPV6 it'd be a weekend job. The problem is
that the people who COULD do it don't WANT to do it
because they all want to be part of the clever bunch who
wrote The Next Big Standard (by the way, that same
thinking was what torpedoed OSI: one standard committee
too many...)
mjr.
------------------------------
Message: 4
Date: Wed, 22 Aug 2007 20:11:58 -0400
From: "Paul Melson" <pmelson@gmail.com>
Subject: Re: [fw-wiz] IPv6 support in firewalls
To: darrenr@reed.wattle.id.au, "Firewall Wizards Security Mailing
List" <firewall-wizards@listserv.icsalabs.com>
Cc: "Marcus J. Ranum" <mjr@ranum.com>, dave@corecom.com, Firewall
Wizards Security Mailing List
<firewall-wizards@listserv.cybertrust.com>
Message-ID:
<40ecb01f0708221711q5b7d22b2q7b22657125ae09b8@mail.gmail.com>
Content-Type: text/plain; charset=ISO-8859-1
On 8/22/07, Darren Reed <darrenr@reed.wattle.id.au> wrote:
> It's not just this, people today want to deploy/build large scale IP
> networks where 10/8 isn't enough, not to mention giving those
> addresses visibility to the Internet.
NOOOOO! One of the great things about the perceived scarcity of IPv4
space on the Internet is that it finally forced most of the
institutions that were still using public addresses for everything
with an Ethernet port in it to implement NAT (and thus a firewall of
some sort). For nearly two decades, K12's, .gov's, state & locals,
and .edu's just swung their entire network in the public address space
breeze. They rocked out with their netblock out, so to speak.
The thought of a return to that kind of "we've got plenty, put it on
the public net" makes my stomach turn. I turned over a few of those
rocks (putting once public address space behind firewalls and
reviewing the logs) and it wasn't pretty.
> The only way that they can plan to do this is by specifying
> that IPv6 is used - there is no other alternative.
I say we dust off IPX. Sure, it didn't natively support sockets, but
it had name resolution, server-less dynamic addressing is a snap (or
is that a SAP?), and you won't run out of address space before the
manufacturers do - built in provisioning control! :-)
> Anyone want to start a pool/tab on when the sky will reach the ground? :)
We've been swimming in clouds for a long time.
PaulM
------------------------------
Message: 5
Date: Thu, 23 Aug 2007 14:42:03 -0400
From: Dave Piscitello <dave@corecom.com>
Subject: [fw-wiz] ***SPAM*** Re: IPv6 support in firewalls
To: Firewall Wizards Security Mailing List
<firewall-wizards@listserv.icsalabs.com>
Message-ID: <46CDD4FB.3040903@corecom.com>
Content-Type: text/plain; charset="iso-8859-1"
Marcus, a proposal nearly identical to what you suggest was one of the
first presented at the IETF in the mid-1990s. At the time, the
intelligentiaTF poo-pooed it as not being sufficiently forward-looking
and innovative. It didn't consider 64-bit alignment. It didn't *fix*
options. It didn't *fix* QOS. It didn't accommodate IP security in a
"native" manner.
Happily, time wounds all heels. Over a decade later, and we've bent,
twisted, tunneled, re-mapped, stretched, and NAT'd IPv4 until it does
everything IPv6 promised - and now, all IPv6 brings to the table is a
bigger field for addresses and an ungainly, unwanted and arguably
unwarrantable transition scenario.
Jot down your proposal in an internet-draft. I bet you find a surprising
number of technical folks who'll happily reconsider IPv6 deployment in
favor of what I suggest you call IPkiss.
Oh, for the record, I was one of the folks who wrote OSI's network
protocol (and yes, it is dog ugly, but name me a protocol developed by
committee that isn't...). We didn't write it because we wanted to be
remembered as a clever bunch. We wrote it because we didn't want to be
remembered as the lame bunch of idiots who left public, switched
networking in the hands of X.25 and ISDN operators, because in the early
1980s, the rest of the world wasn't about to adopt US DOD protocols, and
because we figured any network layer datagram, no matter how ugly, would
be a far site better than living the rest of our networking lives under
the thumb of network operators whose vision of broadband was 1 megabit
per second.
Marcus J. Ranum wrote:
> Darren Reed wrote:
>> The only way that they can plan to do this is by specifying
>> that IPv6 is used - there is no other alternative.
>
> That's because nobody's looking for one. So IPV6 becomes
> both the question and the answer.
>
> This is remarkably familiar for those of us who survived
> the early days of the OSI wars. There was no alternative to
> OSI, either. Except for the simple little protocol that
> just worked.
>
> Left fill with zeroes, bump the version number, double the
> address space size, and let 'er rip. Sure, there'd be some
> details to sort out, but in terms of the complexity of
> cutting over to IPV6 it'd be a weekend job. The problem is
> that the people who COULD do it don't WANT to do it
> because they all want to be part of the clever bunch who
> wrote The Next Big Standard (by the way, that same
> thinking was what torpedoed OSI: one standard committee
> too many...)
>
> mjr.
>
> _______________________________________________
> firewall-wizards mailing list
> firewall-wizards@listserv.icsalabs.com
> https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: dave.vcf
Type: text/x-vcard
Size: 220 bytes
Desc: not available
Url : https://listserv.icsalabs.com/pipermail/firewall-wizards/attachments/20070823/00d7105f/attachment-0001.vcf
------------------------------
Message: 6
Date: Thu, 23 Aug 2007 11:43:26 -0700 (PDT)
From: Shahin Ansari <zohal52@yahoo.com>
Subject: Re: [fw-wiz] IPv6 support in firewalls
To: darrenr@reed.wattle.id.au, Firewall Wizards Security Mailing List
<firewall-wizards@listserv.icsalabs.com>
Message-ID: <67171.25757.qm@web30712.mail.mud.yahoo.com>
Content-Type: text/plain; charset="iso-8859-1"
Yes to add to the mobile carrier issue is the ARIN mandate which you have to justify the request by needing at least 1/3 of what you request. Who is going to buy a mobile service only to have to wait until provider gets ip?
Darren Reed <darrenr@reed.wattle.id.au> wrote: David Lang wrote:
> On Wed, 22 Aug 2007, Darren Reed wrote:
>
>> Marcus J. Ranum wrote:
>>> Dave Piscitello wrote:
>>>> I suppose I should begin by answering "why the interest in IPv6?"
>>>> question. Simply put, we are running out of IPv4 addresses (yeah, I
>>>> know, the Sky is Falling, NAT will save us forever...). Based on
>>>> current
>>>> consumption rates, some folks speculate that the remaining addresses
>>>> not yet distributed by IANA will be exhausted by 2009.
>>>
>>> This prediction was made before, if I recall correctly. In 1994. Except
>>> that we were going to run out, uh, in 1999. Yes, the sky is
>>> falling, but
>>> it appears to be falling fairly slowly and gently. :)
>>>
>>> Perhaps something better than IPv6 will still come along. You know,
>>> like what a few of us suggested back in 1992 - namely doubling
>>> the address size, left-filling with zeroes, and bumping the
>>> version number? ;)
>> ..
>>
>> It's not just this, people today want to deploy/build large scale IP
>> networks where 10/8 isn't enough, not to mention giving those
>> addresses visibility to the Internet.
>
> who has 4B machines?, or assume that you gave each machine a /30
> subnet, who has 1B machines?
I said 10/8, not 0/32.
10/8 is only 16M addresses.
How many mobile phones are there connected to (say) AT&T's phone network?
More than 16M. If AT&T wanted to be able to address each phone individually
on their internal network at any given point in time?
And then what about say one of the Chinese carriers with another 30M phones?
How do you fit those into an already crowded Internet address space with
only
32 bits of addressing available to you?
> the claim that 10/8 isn't big enough is makeing large assumptions
> about how you allocate the addresses.
Yes and no. If you think about it, 16,000,000 isn't really a lot.
At 4B, that's barely enough for 1 per person for some value of "yesterday".
If you said everyone on the planet was entitled to a /24, then you need over
40 bits in the address space, and that's just flat allocation.
> as for makeing those machines visable on the Internet, I'd ask why
> they need to be directly visable. something on this scale is probably
> not _really_ needing everyone else on the Internet to connect on
> arbatrary ports, and once you start defining what traffic you need you
> can define ways to get to them with that traffic without needing to
> have the machines directly visable (also contrary to what the IPV6
> pushers say)
Even if they don't need to be directly visible on the Internet,
they may need to be (or it is desirable for it to be possible)
visible inside some other network.
People design networks according to various needs.
As corporations grow and the world connected to the network
grows, so to will the demands placed on IPv4 addresses.
While there will always be refusniks that want to believe that
IPv4 can't d it, the reality is it is closing close to the end of
its useful life in terms of address space. Having to put everything
behind NATs sucks for end host visibility.
Move with the time, accept that IPv6 will become reality,
shout and scream a little if that helps. But we are getting to
a point where the amount of engineering required to keep
IPv4 going is becoming more than its worth so accepting
that, however much it hurts, is probably worth your while.
Darren
_______________________________________________
firewall-wizards mailing list
firewall-wizards@listserv.icsalabs.com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
---------------------------------
Looking for a deal? Find great prices on flights and hotels with Yahoo! FareChase.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://listserv.icsalabs.com/pipermail/firewall-wizards/attachments/20070823/dfa67e6c/attachment.html
------------------------------
_______________________________________________
firewall-wizards mailing list
firewall-wizards@listserv.icsalabs.com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
End of firewall-wizards Digest, Vol 16, Issue 10
************************************************
No comments:
Post a Comment