Obsession With Firewalls Could Hinder IPv6

DosIgriegas writes "The obsession with firewalls in IPv6 may result in some of the quirks of IPv4 reappearing. Ars Technica has an article looking at the topic in depth, exploring the technical challenges of securing the new protocol, and looking a the re-emergence of old problems in new guises. 'Ironically, what's required to make IPv6 work through a stateful firewall is almost identical to what's required to make IPv4 work though NAT. This means the IETF's efforts to keep IPv6 NAT-free in order to make protocols do their job without messy workarounds are defeated by the notion that everything should be firewalled.' If we decide to stick with firewalls in IPv6, we'll see many of the same hard-to-diagnose network problems that we have with IPv4."

Translation

[Zarhan]

"Today we learned, that lots of people who have thought of NAT as a security mechanism, are getting a hit with cluebat when they find out that the IPv4 NAT also implements a stateful firewall as a byproduct. Since there is no NAT with IPv6, you only have to implement stateful firewall without address translation."

Sigh.

This is a non-issue.

What IS an issue are the new IPv6-specific things related to security. You cannot do a network scan anymore since even a /64 is a huge address space to scan and so on. The presentation I watched at IETF Prague was quite interesting: http://www3.ietf.org/proceedings/07mar/slides/v6op s-1/sld1.htm

There are some implementation issues, such as anycast addresses and stuff like that you need to take into account.

However, this "getting rid of connectivity issues due to no longer having to NAT" has NEVER been expected by anyone who knows even a bit about networking. Because we're not returning to an un-firewalled world.

It has already happened

[The+One+KEA]

Linux has already gone down this path - the old IP connection tracking code in the Linux iptables packet filter has already been reworked into a more general layer-3 connection tracking mechanism, with separate 'drivers' for tracking the IPv4 and IPv6 protocols and separate 'plugins' that can handle specialized protocols (FTP, IRC, H.323, PPTP and so on).

I suspect that commercial firewalls will probably follow suit.

stateless firewalls

[greenrom]

You can have a firewall without using NAT. Being able to assign every device a routable address means that you can implement a stateless firewall instead of a stateful firewall. For most purposes, a simple firewall that filtered incomming TCP connection requests and UDP packets on all ports except those specifically allowed would suffice. This has the advantage that the firewall wouldn't need to track the state of TCP connections, and would eliminate problems like firewalls deciding a connection has been idle too long and closing it.

For the home user, being able to assign a routable IP to every PC has other advantages. Do you have multiple PCs with Remote Desktop running that you want to access remotely? NAT makes this difficult since all the PCs share the same IP address and need to listen for connection requests on the same port. Assigning every machine a routable address makes this problem go away. Don't like that example? The same applies to a web server, or SIP phone, or Bittorrent, or a myriad of other applications.

Re:stateless firewalls

[kalugen]

This is totally correct, but there are also other problems with stateless firewalls...

Let me explain what a stateful firewall does (not to you obviously, but I'm reading comments from lots of people that do not seem to fully understand the issue).

A stateful firewall can filter traffic not by just "blocking" some protocols or addresses/ports.

It can police traffic using the abstraction of "connections": you are able to tell it "allow NEW connections to this service, but not to that. And please let come in all traffic that pertains to already ESTABLISHED connections. Discard all INVALID - not NEW or ESTABLISHED - traffic" (yes, I'm taking the terms directly from linux's iptables/netfilter).

This is not simple as it seems... first, there are lots of problems with defining what a "connection" is just by looking at the traffic from the kernel's POV because is usually an application's (user space) work to make sense of all those bytes carried in the payload of TCP/UDP packets.

For plain old tcp session, like the ones used by SMTP or HTTP, this is easy: the protocol itself has the concept of "sessions" (every packet carries a "sequence number" that is used to identify the packet as part of a "session" - yes, this is a possible attack vector, and no, it's not _that_ easy to guess/brute force them. Not anymore). So, HTTP/SMTP and the like are EASILY firewalled and NATted.

But with ICMP or UDP? You have to do some smart tricks in order to implement the "connection" concept, for example: ok, we do not have session numbers, but if you send an ICMP echo request to an IP address, we should expect an ICMP echo reply to come back sooner or later from that same IP address, so here is your ICMP "session" (almost). Sending an ECHO request and receiving (or not) an ECHO reply is what actually happens when you use the "ping" command.

And beasts like FTP or SIP, H323, PPTP... the lot? Those nasty guys generally work by opening a TCP "control" connection, where protocol commands and responses are expected to travel... at some point during the conversation someone issues a command telling the other part(s) to expect a new connection on some other port and maybe with some other protocol... this command means something only to the high-level applications implementing these high-level protocols. It doesn't mean shit to the kernel, because this is not IP, TCP, UDP or ICMP: it's an higher level abstraction.

This is why you have to write special "helpers" for these protocols to bridge the gap and make things work: the "helpers" can intercept and understand the high level protocol commands and manipulate the kernel's notion of what low level traffic is RELATED to an already ESTABLISHED connection, because the kernel can't tell by itself.

In the case of FTP, the corresponding helper looks for the command "open new connection on port xxxrandomxxx for data transfer" (actually, the PORT and PASV commands) in the traffic travelling through the firewall, it figures that the important part is "port xxxrandomxxx" and then marks as "RELATED" traffic coming/going to port xxxrandomxxx (yes, "helpers" are another attack vector, and no... they are generally smarter than in my description, I am oversimplifying... (*)).

The same tricks are needed for some forms of NAT: specifically, the one when you have many hosts/PC on the "inside" and just one public routable address on the "outside" - Cisco calls this "PAT" - so the firewall needs to track "connections" to succesfully map traffic between external and internal hosts. Other forms of NAT includes the much simpler 1:1 (you have 'n' internal addresses and 'n' external addresses) and do not _require_ the tricks.

Having said all that...

Accepting ESTABLISHED tcp connections from port 80 (http) is a LOT different than just allowing generic tcp packets whose source is port 80 to come in, for example.

In the first case you're allowing only legal traffic that constitutes a response to your requests, as per th

Re:IP6 is too complicated

[Just+Some+Guy]

I know you must be trolling, since configuring IPv6 is mostly identical to setting up IPv4. Type an address, a prefix length, and a gateway and go. What's so tricky about that?

Re:Defective by design?

[Kadin2048]

I really don't think the problem is as big as it's being made out to be.

The advantage to IPv6 is that you can have more fully routable addresses, to the point where there wouldn't be any NAT anymore -- you might still have dynamically assigned addresses, but they'd still be fully routable across the entire network. This makes firewalling a lot simpler, because you can have more than one DMZed device.

Devices which are known to be relatively secure and are designed to sit out in full view of the public -- for instance, maybe a VoIP appliance that by definition has to accept incoming traffic, but rejects everything else (but which needs lots of ports and can't tolerate NAT or much 'dumb' firewalling), could be easily put into its own DMZ without compromising the rest of your LAN. Right now, with IPv4 and only one shared IP address per household, this is fairly difficult -- all firewall rules need to be port-based. With IPv6, you can also do more complex address-based routing.

So, let's say you have a network consisting of four devices and an IPv6 firewall; you have two highly insecure Windows boxes (for whatever reason) which aren't designed to and consequently cannot safely be exposed to the world, plus a hardened BSD machine which can have certain ports exposed (say, for email and SSH), and an VoIP appliance which needs to be able to make whatever connections it wants. You configure the firewall (which all traffic passes through) to not perform any packet filtering on the VoIP appliance's address, effectively leaving it outside the perimeter. (Hopefully the manufacturer of the appliance knows what they're doing. But, to be safe, you could set it up so that traffic from it doesn't get let in to the firewalled zone, so someone couldn't compromise it and use it to get in to the rest of your network.) The BSD machine's address gets only the necessary ports opened, with everything else to it automatically rejected. And the Windows boxes are totally firewalled, with all incoming connections rejected unless a port is specifically requested open.

The firewall required to do this isn't any less complex than a current NAT/stateful-firewall, but it provides several advantages. Rather than having only one externally-facing address for the entire LAN, and routing traffic based on the port or TCP connection, you can just route based on the IPv6 address, and create all sorts of (in)flexible rules based on how much trust you have in the destination device, which can include creating further subnets that are isolated from each other, for security purposes.

IPv6 isn't "insecure," in fact I think its wide adoption will greatly enhance end-user security, once people start figuring out how to work with it, and the Linksys and Netgear-type manufacturers start building inexpensive boxes to do the job.

The main difference between v4 and v6 is that with v4, there's a clear demarcation between "LAN" and "WAN." With IPv6, this isn't quite as true; rather than thinking of security in terms of castle walls, you need to use a more fluid metaphor. Everything in your house is part of the "WAN," in terms of addressing, but parts of it may be more secure than others.

Re:NAT needed?

[Kadin2048]

When people talk about using NAT, 99% of the time they don't mean a 1:1 NAT, but a NAPT as found in home routers and configurable in many midsize routers and PC operating systems.

Such a NAPT does offer security because it disallows all uninvited incoming connections and thus shields "services" running on systems inside of the NAPT from access from the Internet.

Sure. But what they're really describing isn't NAT, but rather the stateful firewall that's inherent in all non-trivial implementations of NAT.

Since you can take just the stateful firewall part, and use it with IPv6, there's no security disadvantage there. All you lose is the kludgy NAT parts, and in trade you gain the ability to do much more complex and useful routing -- creating various subnets with different security levels, etc. It's nothing that hasn't been going on with big corporate networks for years (those companies that have Class A blocks and can afford to give every workstation a 'real' IP still have firewalls and security policies), but now home users can have the same flexibility, if they want it.

One word:

[Kadin2048]

What'sdriving it now that wasn't driving it five years ago?

SIP.

Right now, most people haven't run into it, but there's no easy way to have multiple SIP VoIP "lines"* into your house, when you only have one IP address.

* I mean "lines" in the POTS sense, of independent full-duplex telephone circuits, each with their own numbers. And yeah, I know you can get this if you use protocols other than SIP, but they have their own problems.

IPv6 offers that.

[Kadin2048]

You wouldn't need to. IPv6 has the capability of having temporary addresses, where the client machine basically generates the last few bits (actually quite a few) of the address randomly. You can swap these addresses as frequently as you'd like (well, it will probably do Bad Things to the upstream routers if you change them too quickly, and it might be considered abusive at some point) in order to retain a level of anonymity that's greater than or equal to what you have with IPv4+NAT right now. (It's still not true anonymity, and isn't a replacement for systems like Tor, but it would make it close to impossible to figure out which device on your LAN the traffic is coming from, without compromising your LAN's router itself.)

You might want to read this document from the IETF regarding privacy and IPv6. Ensuring privacy, or at least not eliminating it, was a major concern of theirs during the design of v6, and I think you'll find that your privacy is protected just as well or better than it is under IPv4 (which is to say, not really all that well, but if it gives you a warm fuzzy feeling to think so, enjoy).
http://playground.sun.com/ipv6/specs/ipv6-address- privacy.html

Therefore, in the future IPv6-based Internet, we expect many devices to have two kinds of IP addresses:

        * Unique, stable addresses, assigned in any of several possible ways (e.g., by manual configuration, by an address server like DHCP, or by auto-configuration using embedded, factory-assigned LAN addresses), for the purpose of being a target, and for use when initiating communication to other, trusted targets, such as targets within the same home or enterprise.

        * Temporary, transient addresses, such as those containing a random number in place of a factory-assigned serial number, for use when initiating communication to less trusted targets, such as public web servers.

The choice of which kind of address to use when initiating communication is somewhat analogous to the choice that must be made when placing a telephone call in the presence of the "Caller ID" feature, i.e., whether or not to reveal the calling party's number to the called party. IPv6 addresses offer both choices.

Re:Security by obscurity doesn't work

[kebes]

Everything you've said is true...

However, I don't think the argument is "the large IPv6 address space provides robust security" but rather "it's an extra roadblock to attackers."

Switching to the large IPv6 address space doesn't mean that we can get lazy with patching our boxes, surfing safely, blocking ports, having strong passwords, and so on. However, it does mean, at least, that one vector of attack (port scanning) is no longer possible, or at least very difficult.

All the workarounds and attacks you describe are certainly possible, but they mean extra effort on the part of the attacker, which induces a corresponding decrease in the frequency and success rate of attacks. And it's worth noting that in addition to the workarounds that the attackers will no doubt employ, there may very well be some clever usages of IPv6 to counter them. For instance, if I'm in control of 10^20 addresses, I may run my web browser from a VM whose IP address changes on every connection. So knowing the IP of my web-browser doesn't give you the IP of my file server, etc. Similarly the 10^20 - 4 addresses that I'm not using can be a very efficient honeypot for detecting attackers.

To re-iterate: the large address space of IPv6 should not be viewed as "killer security"... but nor should we ignore that it will provide a (arguably minor) security advantage.