Slashdot Mirror

← Back to Stories (view on slashdot.org)

Obsession With Firewalls Could Hinder IPv6

Posted by Zonk on from the keep-the-chains-off dept.

DosIgriegas writes "The obsession with firewalls in IPv6 may result in some of the quirks of IPv4 reappearing. Ars Technica has an article looking at the topic in depth, exploring the technical challenges of securing the new protocol, and looking a the re-emergence of old problems in new guises. 'Ironically, what's required to make IPv6 work through a stateful firewall is almost identical to what's required to make IPv4 work though NAT. This means the IETF's efforts to keep IPv6 NAT-free in order to make protocols do their job without messy workarounds are defeated by the notion that everything should be firewalled.' If we decide to stick with firewalls in IPv6, we'll see many of the same hard-to-diagnose network problems that we have with IPv4."

4 of 278 comments (clear)

  1. Re:Defective by design? by Detritus · · Score: 4, Interesting
    You can still have firewalls, it's just that some firewall "features" have unintended consequences.

    The old-style stateless firewall will work just fine.

    --
    Mea navis aericumbens anguillis abundat
  2. Re:Translation by Raphael · · Score: 5, Interesting

    However, this "getting rid of connectivity issues due to no longer having to NAT" has NEVER been expected by anyone who knows even a bit about networking. Because we're not returning to an un-firewalled world.

    There are also some features of NAT that I would like to keep even when using IPv6, the main one being the ability to hide the topology of my networks from the outside world. So in a way, I do want to have some connectivity issues.

    For example, I currently maintain a firewall and NAT box that has a pool of several public IP addresses (Internet access) on one of its interfaces, and 3 additional network cards connected to different networks. Each of these 3 networks contains a number of machines and some servers for various protocols that are mapped to some of the public IP addresses. One of these private networks is rather open (with protocols such as NIS and NFS used by most hosts) and another one is rather secure (no host trusts any other host on the same subnet). I do not want to allow an external attacker to guess on which network a given server could be. Maybe this extra level of security through obscurity is not really necessary, but I want to maximize my chances in case of an attack (e.g., zero-day exploits). Some services that I mapped to an external IP address and port may go to a server on one network, while the same IP address but a different port may go to a different network. I do not want to reveal too much information about the topology of my networks, that's why I like NAT.

    NAT causes some connectivity issues, but I consider some of them as features, not problems. Oh, and I know that some people claim that the network hiding brought by NAT is just some false security and that IPv6 with its much larger address space will also make it difficult to scan hosts on a network. But that's not the point here: hiding the topology is just one of the many layers of security that I use, and the larger address space of IPv6 will not prevent some information from being disclosed in routing table updates, etc.

    --
    -Raphaël
  3. Re:IPv6 Needed? by Znork · · Score: 4, Interesting

    "What'sdriving it now that wasn't driving it five years ago?"

    Virtualization. Where you once had one machine serving several applications, it's now become trivial to separate applications into differing vm's for security, simplicity and scalability. You'll still want to adress the unique vm's, and ipv6 is a great way to do it.

    Fast forward ten years and you'll have applications the way you have VM's today. Instead of deploying an app on a specific platform, you'll be able to deploy a VM image like you fork a process today. If you thought you needed IP's today, wait 'til your processes not only require their own PID but also their own IP address.

  4. Re:IPv6 Needed? by numbski · · Score: 4, Interesting

    Actually, the inability for the small guy to get an IPv6 allocation from ARIN is more than a bit annoying. I was willing to pick up a block of IPv6 addresses to built out my data center on, and then use IPv4 tunnelling where required. I couldn't get an allocation unless I had enough customers to use a full (IPv6) /32, which of course I don't. We're just starting out, so they basically force the little guy to use IPv4, and then do a migration later. This is LAME. They don't even charge for IPv6 allocations, so far as I can tell there's a monetary sub-motive here to squeeze as much money out of IPv4 as they can, and if you're big enough, they'll let you have IPv6 for free. If you're too small, either buy an IPv4 block, or go buy an IPv6 block from one of the big guys that got it for free. :\

    --

    Karma: Chameleon (mostly due to the fact that you come and go).