---------- Forwarded Message ---------- Subject: Re: [suse-security] ipv6 insecure? Date: Sat, 20 Apr 2002 11:02:29 +0200 From: Peter Bieringer <pb@bieringer.de> To: jsa@pen.homeip.net, jfweber@bellsouth.net, Suse Security <suse-security@suse.com> Hi, the author speaks ;-) --On Friday, April 19, 2002 05:37:36 PM -0800 John Andersen <jsa@pen.homeip.net> wrote:

On Friday 19 April 2002 03:11 am, jfweber@bellsouth.net wrote:

...

hiyas Wizards, Wunderkinder, adn general brilliant folks on this list.,

I read this past week soemthing to the effect of "ipv6" isn't secured automagically by firewalls, but must have some special things done to secure it?

IPv6 has no mechanism like masquerading or PAT/NAT/PNAT per design, because it breaks the mandatory feature end-to-end security. This results in an end-to-end connection through anything inbetween. This leads to some issues: 1) basic firewalling can be done using simple portfilters like in earlier IPv4 days or advanced (dynamic) portfilters like today some commercial and open source firewalls do. Currently known for IPv6: * Cisco routers with static portfilters * BSD ipfiter (don't know about state support) * Linux netfilter (state support experimental) 2) if no firewalling is done, but IPv6 access is established, in fact a client is complete "IPv6-open" to the Internet, even if protected by IPv4 firewalls. 3) A short screening of popular commercial firewall vendors results mostly in "no IPv6 support today" 4) IPv4 people also have to rethink "We are secure because we use private IPv4 addresses and a dynamic portfilter FW or simple transparent proxy FW", because of: - you are able to tunnel most of the traffic over HTTPS, HTTP (think about SOAP), ICMP, DNS a.s.o. or other valid encrypted traffic. Only very few firewalls (try to) do full payload checking and rewriting (last one is important). For IPv6, such transparent check&rewrite proxies are needed. Result: * For a partially protection: establish gateway security as much as you can * For total protection: forget gateway security for IPv6 (for IPv4 also...), you can block some ports, but what happen if end-to-end security is established (mandatory feature) - gateway sees nothing anymore * Establish central managed client security (problem here: buggy clients, unsupported OS...). Some antivirus software vendors already on the way to do that, because what's about an virus in a PGP or S/MIME e-mail or coming over HTTPS? Gateway scanners see nothing here, too!

The article was in the May/02 Linux Magazine (USA edition ).

It's already available? Oh...have to wait for the issue here (they send me some). Peter ------------------------------------------------------- -- _________________________________________________ No I Don't Yahoo! And I'm getting pretty sick of being asked if I do. _________________________________________________ John Andersen / Juneau Alaska