Slashdot Mirror

← Back to Stories (view on slashdot.org)

Obsession With Firewalls Could Hinder IPv6

Posted by Zonk on from the keep-the-chains-off dept.

DosIgriegas writes "The obsession with firewalls in IPv6 may result in some of the quirks of IPv4 reappearing. Ars Technica has an article looking at the topic in depth, exploring the technical challenges of securing the new protocol, and looking a the re-emergence of old problems in new guises. 'Ironically, what's required to make IPv6 work through a stateful firewall is almost identical to what's required to make IPv4 work though NAT. This means the IETF's efforts to keep IPv6 NAT-free in order to make protocols do their job without messy workarounds are defeated by the notion that everything should be firewalled.' If we decide to stick with firewalls in IPv6, we'll see many of the same hard-to-diagnose network problems that we have with IPv4."

7 of 278 comments (clear)

  1. Translation by Zarhan · · Score: 5, Informative

    "Today we learned, that lots of people who have thought of NAT as a security mechanism, are getting a hit with cluebat when they find out that the IPv4 NAT also implements a stateful firewall as a byproduct. Since there is no NAT with IPv6, you only have to implement stateful firewall without address translation."

    Sigh.

    This is a non-issue.

    What IS an issue are the new IPv6-specific things related to security. You cannot do a network scan anymore since even a /64 is a huge address space to scan and so on. The presentation I watched at IETF Prague was quite interesting: http://www3.ietf.org/proceedings/07mar/slides/v6op s-1/sld1.htm

    There are some implementation issues, such as anycast addresses and stuff like that you need to take into account.

    However, this "getting rid of connectivity issues due to no longer having to NAT" has NEVER been expected by anyone who knows even a bit about networking. Because we're not returning to an un-firewalled world.

    1. Re:Translation by Raphael · · Score: 5, Interesting

      However, this "getting rid of connectivity issues due to no longer having to NAT" has NEVER been expected by anyone who knows even a bit about networking. Because we're not returning to an un-firewalled world.

      There are also some features of NAT that I would like to keep even when using IPv6, the main one being the ability to hide the topology of my networks from the outside world. So in a way, I do want to have some connectivity issues.

      For example, I currently maintain a firewall and NAT box that has a pool of several public IP addresses (Internet access) on one of its interfaces, and 3 additional network cards connected to different networks. Each of these 3 networks contains a number of machines and some servers for various protocols that are mapped to some of the public IP addresses. One of these private networks is rather open (with protocols such as NIS and NFS used by most hosts) and another one is rather secure (no host trusts any other host on the same subnet). I do not want to allow an external attacker to guess on which network a given server could be. Maybe this extra level of security through obscurity is not really necessary, but I want to maximize my chances in case of an attack (e.g., zero-day exploits). Some services that I mapped to an external IP address and port may go to a server on one network, while the same IP address but a different port may go to a different network. I do not want to reveal too much information about the topology of my networks, that's why I like NAT.

      NAT causes some connectivity issues, but I consider some of them as features, not problems. Oh, and I know that some people claim that the network hiding brought by NAT is just some false security and that IPv6 with its much larger address space will also make it difficult to scan hosts on a network. But that's not the point here: hiding the topology is just one of the many layers of security that I use, and the larger address space of IPv6 will not prevent some information from being disclosed in routing table updates, etc.

      --
      -Raphaël
  2. It has already happened by The+One+KEA · · Score: 5, Informative

    Linux has already gone down this path - the old IP connection tracking code in the Linux iptables packet filter has already been reworked into a more general layer-3 connection tracking mechanism, with separate 'drivers' for tracking the IPv4 and IPv6 protocols and separate 'plugins' that can handle specialized protocols (FTP, IRC, H.323, PPTP and so on).

    I suspect that commercial firewalls will probably follow suit.

    --
    SCREW THE ADS! http://adblock.mozdev.org/ Proud user of teh Fox of Fire - Registered Linux User #289618
  3. I like my firewall, thanks by Carrion+Creeper · · Score: 5, Insightful

    I would say I personally am not obsessed with firewalls per se, I'm obsessed with privacy and security.

    The firmware on a firewall also has a much smaller amount of code to debug in order to make sure that it will function properly all the time. I would never assume that my Windows XP machine was properly patched with enough confidence to plug it straight into a cable modem all the time.

    I am also not interested in having each computer in my home being identified and tracked individually, and I don't pirate software or download music. As such, even if the need for NAT is removed, I would still be highly interested in purchasing a device to block incoming connections and mask my IP address (maybe by swapping with other devices within my home on certain connections).

  4. 128 bits by CrtxReavr · · Score: 5, Funny

    Since we have the attention of the IPv6 crowd, everyone should add this record to your forward zones:

    aacs IN AAAA 09f9:1102:9d74:e35b:d841:56c5:6356:88c0

    -CR

    --
    "So is the BSD licence even more 'free' (than GPLv2)? Yes. Unquestionably." --Linus Torvalds (TinyURL.com/2vugzl)
  5. Re: Privacy Concerns? by FreezerJam · · Score: 5, Insightful

    Not to mention your average consumer ISP, which, like a cable company, would love to start charging "per outlet".

    Much as a NAT-less world might be easier to build and debug, I think I'm happier if my network connection is like my electric connection.

    One connection delivers: all electric energy / all bits
    I can go up to a max of: 200 amps / 5 Mbps
    I might still be billed: by energy used / by gigabytes sent
    But I don't pay extra: for more outlets / for more devices
    I cover all the costs: of the electric panel / of the router

    Handing someone else the information to break the above model is not something I want to do.

  6. Re:Defective by design? by Kadin2048 · · Score: 5, Informative

    I really don't think the problem is as big as it's being made out to be.

    The advantage to IPv6 is that you can have more fully routable addresses, to the point where there wouldn't be any NAT anymore -- you might still have dynamically assigned addresses, but they'd still be fully routable across the entire network. This makes firewalling a lot simpler, because you can have more than one DMZed device.

    Devices which are known to be relatively secure and are designed to sit out in full view of the public -- for instance, maybe a VoIP appliance that by definition has to accept incoming traffic, but rejects everything else (but which needs lots of ports and can't tolerate NAT or much 'dumb' firewalling), could be easily put into its own DMZ without compromising the rest of your LAN. Right now, with IPv4 and only one shared IP address per household, this is fairly difficult -- all firewall rules need to be port-based. With IPv6, you can also do more complex address-based routing.

    So, let's say you have a network consisting of four devices and an IPv6 firewall; you have two highly insecure Windows boxes (for whatever reason) which aren't designed to and consequently cannot safely be exposed to the world, plus a hardened BSD machine which can have certain ports exposed (say, for email and SSH), and an VoIP appliance which needs to be able to make whatever connections it wants. You configure the firewall (which all traffic passes through) to not perform any packet filtering on the VoIP appliance's address, effectively leaving it outside the perimeter. (Hopefully the manufacturer of the appliance knows what they're doing. But, to be safe, you could set it up so that traffic from it doesn't get let in to the firewalled zone, so someone couldn't compromise it and use it to get in to the rest of your network.) The BSD machine's address gets only the necessary ports opened, with everything else to it automatically rejected. And the Windows boxes are totally firewalled, with all incoming connections rejected unless a port is specifically requested open.

    The firewall required to do this isn't any less complex than a current NAT/stateful-firewall, but it provides several advantages. Rather than having only one externally-facing address for the entire LAN, and routing traffic based on the port or TCP connection, you can just route based on the IPv6 address, and create all sorts of (in)flexible rules based on how much trust you have in the destination device, which can include creating further subnets that are isolated from each other, for security purposes.

    IPv6 isn't "insecure," in fact I think its wide adoption will greatly enhance end-user security, once people start figuring out how to work with it, and the Linksys and Netgear-type manufacturers start building inexpensive boxes to do the job.

    The main difference between v4 and v6 is that with v4, there's a clear demarcation between "LAN" and "WAN." With IPv6, this isn't quite as true; rather than thinking of security in terms of castle walls, you need to use a more fluid metaphor. Everything in your house is part of the "WAN," in terms of addressing, but parts of it may be more secure than others.

    --
    "Ladies and gentlemen, my killbot features Lotus Notes and a machine gun. It is the finest available."