Obsession With Firewalls Could Hinder IPv6

DosIgriegas writes "The obsession with firewalls in IPv6 may result in some of the quirks of IPv4 reappearing. Ars Technica has an article looking at the topic in depth, exploring the technical challenges of securing the new protocol, and looking a the re-emergence of old problems in new guises. 'Ironically, what's required to make IPv6 work through a stateful firewall is almost identical to what's required to make IPv4 work though NAT. This means the IETF's efforts to keep IPv6 NAT-free in order to make protocols do their job without messy workarounds are defeated by the notion that everything should be firewalled.' If we decide to stick with firewalls in IPv6, we'll see many of the same hard-to-diagnose network problems that we have with IPv4."

Translation

[Zarhan]

"Today we learned, that lots of people who have thought of NAT as a security mechanism, are getting a hit with cluebat when they find out that the IPv4 NAT also implements a stateful firewall as a byproduct. Since there is no NAT with IPv6, you only have to implement stateful firewall without address translation."

Sigh.

This is a non-issue.

What IS an issue are the new IPv6-specific things related to security. You cannot do a network scan anymore since even a /64 is a huge address space to scan and so on. The presentation I watched at IETF Prague was quite interesting: http://www3.ietf.org/proceedings/07mar/slides/v6op s-1/sld1.htm

There are some implementation issues, such as anycast addresses and stuff like that you need to take into account.

However, this "getting rid of connectivity issues due to no longer having to NAT" has NEVER been expected by anyone who knows even a bit about networking. Because we're not returning to an un-firewalled world.

It has already happened

[The+One+KEA]

Linux has already gone down this path - the old IP connection tracking code in the Linux iptables packet filter has already been reworked into a more general layer-3 connection tracking mechanism, with separate 'drivers' for tracking the IPv4 and IPv6 protocols and separate 'plugins' that can handle specialized protocols (FTP, IRC, H.323, PPTP and so on).

I suspect that commercial firewalls will probably follow suit.

Re:Defective by design?

[Kadin2048]

I really don't think the problem is as big as it's being made out to be.

The advantage to IPv6 is that you can have more fully routable addresses, to the point where there wouldn't be any NAT anymore -- you might still have dynamically assigned addresses, but they'd still be fully routable across the entire network. This makes firewalling a lot simpler, because you can have more than one DMZed device.

Devices which are known to be relatively secure and are designed to sit out in full view of the public -- for instance, maybe a VoIP appliance that by definition has to accept incoming traffic, but rejects everything else (but which needs lots of ports and can't tolerate NAT or much 'dumb' firewalling), could be easily put into its own DMZ without compromising the rest of your LAN. Right now, with IPv4 and only one shared IP address per household, this is fairly difficult -- all firewall rules need to be port-based. With IPv6, you can also do more complex address-based routing.

So, let's say you have a network consisting of four devices and an IPv6 firewall; you have two highly insecure Windows boxes (for whatever reason) which aren't designed to and consequently cannot safely be exposed to the world, plus a hardened BSD machine which can have certain ports exposed (say, for email and SSH), and an VoIP appliance which needs to be able to make whatever connections it wants. You configure the firewall (which all traffic passes through) to not perform any packet filtering on the VoIP appliance's address, effectively leaving it outside the perimeter. (Hopefully the manufacturer of the appliance knows what they're doing. But, to be safe, you could set it up so that traffic from it doesn't get let in to the firewalled zone, so someone couldn't compromise it and use it to get in to the rest of your network.) The BSD machine's address gets only the necessary ports opened, with everything else to it automatically rejected. And the Windows boxes are totally firewalled, with all incoming connections rejected unless a port is specifically requested open.

The firewall required to do this isn't any less complex than a current NAT/stateful-firewall, but it provides several advantages. Rather than having only one externally-facing address for the entire LAN, and routing traffic based on the port or TCP connection, you can just route based on the IPv6 address, and create all sorts of (in)flexible rules based on how much trust you have in the destination device, which can include creating further subnets that are isolated from each other, for security purposes.

IPv6 isn't "insecure," in fact I think its wide adoption will greatly enhance end-user security, once people start figuring out how to work with it, and the Linksys and Netgear-type manufacturers start building inexpensive boxes to do the job.

The main difference between v4 and v6 is that with v4, there's a clear demarcation between "LAN" and "WAN." With IPv6, this isn't quite as true; rather than thinking of security in terms of castle walls, you need to use a more fluid metaphor. Everything in your house is part of the "WAN," in terms of addressing, but parts of it may be more secure than others.