firewall-wizards@listserv.icsalabs.com
To subscribe or unsubscribe via the World Wide Web, visit
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
or, via email, send a message with subject or body 'help' to
firewall-wizards-request@listserv.icsalabs.com
You can reach the person managing the list at
firewall-wizards-owner@listserv.icsalabs.com
When replying, please edit your Subject line so it is more specific
than "Re: Contents of firewall-wizards digest..."
Today's Topics:
1. ***SPAM*** Re: IPv6 support in firewalls (Dave Piscitello)
2. Re: IPv6 support in firewalls (Patrick M. Hausen)
3. Re: ***SPAM*** Re: IPv6 support in firewalls (Steven M. Bellovin)
4. Re: IPv6 support in firewalls (Steven M. Bellovin)
5. Re: ***SPAM*** Re: IPv6 support in firewalls (ArkanoiD)
6. Re: IPv6 support in firewalls (Marcus J. Ranum)
7. Re: ***SPAM*** Re: IPv6 support in firewalls (Marcus J. Ranum)
----------------------------------------------------------------------
Message: 1
Date: Thu, 23 Aug 2007 17:06:55 -0400
From: Dave Piscitello <dave@corecom.com>
Subject: [fw-wiz] ***SPAM*** Re: IPv6 support in firewalls
To: "Patrick M. Hausen" <hausen@punkt.de>
Cc: Firewall Wizards Security Mailing List
<firewall-wizards@listserv.cybertrust.com>
Message-ID: <46CDF6EF.2010009@corecom.com>
Content-Type: text/plain; charset="iso-8859-1"
I'm sorry, but you are not using the term end-to-end in the correct context.
End-to-end has less do with addressing and more to do with where you put
functionality. Read Saltzer, Reed and Clark's article on End to end
principles in system design (ACM) or some classic articles by David
Cheriton, et. al.
End-to-end was directed at the notion of "smart connection endpoints,
dumb network", as opposed to a telephony model of "smart network, dumb
endpoints (phones)".
Today, very few end user applications and connections are end-to-end
addressed. Look at SSL VPNs. Look at many web or other application data
centers.
We have far more "box in the middle" configurations than end-to-end
addressable connections today, and as my respected colleague, Craig
Melson has already stated so elegantly
"One of the great things about the perceived scarcity of IPv4
space on the Internet is that it finally forced most of the
institutions that were still using public addresses for everything
with an Ethernet port in it to implement NAT."
Almost any firewalled configuration uses IP masquerading and that's
hugely important. Do you really think it's better to assign public
address space behind firewalls? Do you really want everyone to know
every IP address block your organization uses internally by querying an
RIR?
These combined are reasons to implement IPv4 forever:-)
Having said this, I agree with much of what you say about writing an
IPv6 firewall. Aside from writing secure code for the IPv6 kernel, a big
chunk of the work is deciding what of the IPv6 datagram header pose
security threats and how you intend to use or dispose of them. Vendors
who wrote ALGs/proxies may in fact have some advantage over "intensely,
pervasively and ecumenically stateful inspection" (aye, Cap'n).
It's not that it is hard Patrick, it's that we have hundreds of
security vendors competing for a tiny fraction of IT budgets, so margins
count. Few product development teams will place IPv6 implementation at
the top of the feature list until the market matures. Currently, I would
hesitate to even call the IPv6 market nascent (in terms of promise of
revenue).
So we are stuck between the rock and the hard place.
Patrick M. Hausen wrote:
> Hi, wizards,
>
> On Thu, Aug 23, 2007 at 02:42:03PM -0400, Dave Piscitello wrote:
>> Marcus, a proposal nearly identical to what you suggest was one of the first
>> presented at the IETF in the mid-1990s. At the time, the intelligentiaTF
>> poo-pooed it as not being sufficiently forward-looking and innovative. It
>> didn't consider 64-bit alignment. It didn't *fix* options. It didn't *fix*
>> QOS. It didn't accommodate IP security in a "native" manner.
>>
>> Happily, time wounds all heels. Over a decade later, and we've bent,
>> twisted, tunneled, re-mapped, stretched, and NAT'd IPv4 until it does
>> everything IPv6 promised - and now, all IPv6 brings to the table is a bigger
>> field for addresses and an ungainly, unwanted and arguably unwarrantable
>> transition scenario.
>
> IPv6 brings back the end-to-end principle and NAT its well-deserved
> death. This alone should be enough reason to go for it.
>
> And I don't see what should be paticularly more difficult to
> implement in an IPv6 based application level gateway than in
> an IPv4 based one. Terminate both connections in a proxy process
> instead of messing with headers. Simple and effective.
>
> OK, honestly, I cannot write an "IPv6" firewall on a jug of beer
> and I don't claim I could. But some vendors got it mostly right
> for IPv4 simply by using transparent proxy processes instead
> of "deep adaptive whatever inspection".
>
> And a TCP connection carrying HTTP is a TCP connection carrying
> HTTP regardless of the layer 3 protocol. I expect the few remaining
> ALG vendors to be the first to have proper IPv6 capable solutions
> for this simple architectural reason.
>
> Kind regards,
> Patrick M. Hausen
> Leiter Netzwerke und Sicherheit
-------------- next part --------------
A non-text attachment was scrubbed...
Name: dave.vcf
Type: text/x-vcard
Size: 220 bytes
Desc: not available
Url : https://listserv.icsalabs.com/pipermail/firewall-wizards/attachments/20070823/6e7776ba/attachment-0001.bin
------------------------------
Message: 2
Date: Thu, 23 Aug 2007 22:14:43 +0200
From: "Patrick M. Hausen" <hausen@punkt.de>
Subject: Re: [fw-wiz] IPv6 support in firewalls
To: dave@corecom.com, Firewall Wizards Security Mailing List
<firewall-wizards@listserv.cybertrust.com>
Message-ID: <20070823201443.GA48654@hugo10.ka.punkt.de>
Content-Type: text/plain; charset=iso-8859-1
Hi, wizards,
On Thu, Aug 23, 2007 at 02:42:03PM -0400, Dave Piscitello wrote:
> Marcus, a proposal nearly identical to what you suggest was one of the first
> presented at the IETF in the mid-1990s. At the time, the intelligentiaTF
> poo-pooed it as not being sufficiently forward-looking and innovative. It
> didn't consider 64-bit alignment. It didn't *fix* options. It didn't *fix*
> QOS. It didn't accommodate IP security in a "native" manner.
>
> Happily, time wounds all heels. Over a decade later, and we've bent,
> twisted, tunneled, re-mapped, stretched, and NAT'd IPv4 until it does
> everything IPv6 promised - and now, all IPv6 brings to the table is a bigger
> field for addresses and an ungainly, unwanted and arguably unwarrantable
> transition scenario.
IPv6 brings back the end-to-end principle and NAT its well-deserved
death. This alone should be enough reason to go for it.
And I don't see what should be paticularly more difficult to
implement in an IPv6 based application level gateway than in
an IPv4 based one. Terminate both connections in a proxy process
instead of messing with headers. Simple and effective.
OK, honestly, I cannot write an "IPv6" firewall on a jug of beer
and I don't claim I could. But some vendors got it mostly right
for IPv4 simply by using transparent proxy processes instead
of "deep adaptive whatever inspection".
And a TCP connection carrying HTTP is a TCP connection carrying
HTTP regardless of the layer 3 protocol. I expect the few remaining
ALG vendors to be the first to have proper IPv6 capable solutions
for this simple architectural reason.
Kind regards,
Patrick M. Hausen
Leiter Netzwerke und Sicherheit
--
punkt.de GmbH * Vorholzstr. 25 * 76137 Karlsruhe
Tel. 0721 9109 0 * Fax 0721 9109 100
info@punkt.de
http://www.punkt.de
Gf: J?rgen Egeling AG Mannheim 108285
------------------------------
Message: 3
Date: Thu, 23 Aug 2007 16:43:12 -0400
From: "Steven M. Bellovin" <smb@cs.columbia.edu>
Subject: Re: [fw-wiz] ***SPAM*** Re: IPv6 support in firewalls
To: dave@corecom.com, Firewall Wizards Security Mailing List
<firewall-wizards@listserv.cybertrust.com>
Cc: dave@corecom.com
Message-ID: <20070823204312.A546E7660E3@berkshire.machshav.com>
Content-Type: text/plain; charset=US-ASCII
There were a lot of things that went wrong with the IPv6 process. The
net result was that the complexity ended up in the wrong place, fixing
problems no one had and ignoring real problems. Options were fixed,
from the perspective of the routers, but ignoring some of the host
security issues (though since we assumed IPsec, those were perceived to
matter less). ARP was "improved" and DHCP ignored, even though those
worked well. But nothing was done about multihoming, routing table
growth, or ID/locator split because those -- according to some, and I
know that you know whom I'm talking about -- weren't "just like IPv4".
Except for "map and encap", though, I don't think any other decision
would have made the conversion easier or faster. No matter what the
proposal, five years of engineering would have been needed to fill in
all the missing pieces, and more time to convert hosts and apps.
Map-and-encap would have provided transport ability on a v4 backbone,
though, which would have meant that the ISPs could move off the
critical path.
------------------------------
Message: 4
Date: Thu, 23 Aug 2007 16:52:05 -0400
From: "Steven M. Bellovin" <smb@cs.columbia.edu>
Subject: Re: [fw-wiz] IPv6 support in firewalls
To: Firewall Wizards Security Mailing List
<firewall-wizards@listserv.cybertrust.com>
Cc: mbarkett@us.checkpoint.com
Message-ID: <20070823205205.B77EB7660E3@berkshire.machshav.com>
Content-Type: text/plain; charset=US-ASCII
On Wed, 22 Aug 2007 20:02:05 -0400
"Mike Barkett" <mbarkett@us.checkpoint.com> wrote:
> Some of the problems are a bit different due to the increased scale.
> For example, can you think of a good way to proactively scan an
> entire IPv6 subnet for vulnerabilities and rogue hosts? With v4 and
> RFC 1918, it is barely feasible to actively scan 10/8 within a
> reasonable amount of time, so v6 presents a new challenge in this
> respect. Basically, you have to wait until something starts talking
> and then go out and scan it. Either way, you're going to be waiting
> a while before you even know it's there.
I don't think the problem is that bad, though some extra logging may
need to be added to routers. You can always send broadcast pings on
each LAN, monitor switch and router MAC address tables, etc. These are
things that are relatively easy for good guys to do. See
http://www.cs.columbia.edu/~smb/papers/v6worms.pdf for how the bad guys
can do it.
--Steve Bellovin, http://www.cs.columbia.edu/~smb
------------------------------
Message: 5
Date: Fri, 24 Aug 2007 02:32:44 +0400
From: ArkanoiD <ark@eltex.net>
Subject: Re: [fw-wiz] ***SPAM*** Re: IPv6 support in firewalls
To: dave@corecom.com, Firewall Wizards Security Mailing List
<firewall-wizards@listserv.cybertrust.com>
Cc: "Patrick M. Hausen" <hausen@punkt.de>
Message-ID: <20070823223244.GA27901@eltex.net>
Content-Type: text/plain; charset=us-ascii
It will probaly take a week of my sole work to convert OpenFWTK to IPv6
and two more weeks for testing. The real question is should i waste 3 weeks
of my time?
On Thu, Aug 23, 2007 at 05:06:55PM -0400, Dave Piscitello wrote:
>
> Having said this, I agree with much of what you say about writing an
> IPv6 firewall. Aside from writing secure code for the IPv6 kernel, a big
> chunk of the work is deciding what of the IPv6 datagram header pose
> security threats and how you intend to use or dispose of them. Vendors
> who wrote ALGs/proxies may in fact have some advantage over "intensely,
> pervasively and ecumenically stateful inspection" (aye, Cap'n).
------------------------------
Message: 6
Date: Thu, 23 Aug 2007 20:27:45 -0400
From: "Marcus J. Ranum" <mjr@ranum.com>
Subject: Re: [fw-wiz] IPv6 support in firewalls
To: Firewall Wizards Security Mailing List
<firewall-wizards@listserv.icsalabs.com>
Message-ID: <6.2.0.14.2.20070823202605.045243a8@ranum.com>
Content-Type: text/plain; charset="us-ascii"
Steven M. Bellovin wrote:
>You can always send broadcast pings on
>each LAN
Does that work in V6? Sounds like a good DDoS amplifier - any place where
"one packet goes out, zillions come back" is a really useful bit of asymmetry.
mjr.
------------------------------
Message: 7
Date: Thu, 23 Aug 2007 21:31:08 -0400
From: "Marcus J. Ranum" <mjr@ranum.com>
Subject: Re: [fw-wiz] ***SPAM*** Re: IPv6 support in firewalls
To: dave@corecom.com, Firewall Wizards Security Mailing List
<firewall-wizards@listserv.icsalabs.com>, Firewall Wizards Security
Mailing List <firewall-wizards@listserv.icsalabs.com>
Message-ID: <6.2.0.14.2.20070823213014.047228c8@ranum.com>
Content-Type: text/plain; charset="us-ascii"
Dave Piscitello wrote:
>Jot down your proposal in an internet-draft.
The way to fix a broken process is not to work within the process.
Godel may have said something like that... Or was it his brother, Phil?
mjr.
------------------------------
_______________________________________________
firewall-wizards mailing list
firewall-wizards@listserv.icsalabs.com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
End of firewall-wizards Digest, Vol 16, Issue 11
************************************************
No comments:
Post a Comment