Draft: Firewalling Considerations for IPv6
Jeroen Massar on Tuesday, 04 March 2003 16:34:07
Pekka Savola announced a new draft to v6ops:
Hi,
I've updated my "IPv6 Firewalling Considerations" draft, and it will be
available in the repositories before the meeting. In the mean time, it
can be found at:
draft-savola-v6ops-firewalling-01.txt
As a sugar on top to encourage you folks to read it, I've added (in an
appendix) an IPv6-specific DoS reflection attack (with amplification)
involving multicast. I hope that's enough to make folks read & comment
;-)
Abstract:
There are quite a few potential problems regarding firewalling or
packet filtering in IPv6 environment. These include slight ambiguity
in the IPv6 specification, problems parsing packets beyond unknown
Extension Headers and Destination Options, and introduction of end-
to-end encrypted traffic and peer-to-peer applications. There may
also be need to extend packet matching to include some Extension
Header or Destination Option fields. This draft discusses these
issues to raise awareness and proposes some tentative solutions or
workarounds.
Draft: Firewalling Considerations for IPv6
Shadow Hawkins on Sunday, 11 January 2004 12:13:21
Since the link seems to be dead, here's one currently working. Also seems it's an update ("-02").
http://www.ietf.org/internet-drafts/draft-savola-v6ops-firewalling-02.txt
btw: Perhaps someone can help me with this:
I just fooled myself by blocking neighbor discovery messages to/from "universe", i.e. they were only allowed to/from the tunnel endpoint and to/from my LAN. This didn't seem to be enough. My router's syslog was full of lines like
Jan 11 11:55:26 kernel: icmpv6_send: no reply to icmp error
So I currently have all neighbor adv icmp types accepted. One thing is I'm not sure which ones I definitely need (or which ones are dangerous to allow) because there are also reverse ones from another RFC - here's the list of relevant icmpv6 types:
135 - (RFC 2461): Neighbor Solicitation
136 - (RFC 2461): Neighbor Advertisement
141 - (RFC 3122): Inverse Neighbor Discovery Solicitation Message
142 - (RFC 3122): Inverse Neighbor Discovery Advertisement Message
Ok, now you can tell me "Go and read those RFCs...", but perhaps someone of you already has some working ip6tables config ready to post here - perhaps with some enlightening comments;)
Greets,
Wolfgang
Draft: Firewalling Considerations for IPv6
Shadow Hawkins on Sunday, 27 May 2007 17:06:13
Given link don't seem to work for me, but this one does: http://tools.ietf.org/html/draft-savola-v6ops-firewalling-02
Draft: Firewalling Considerations for IPv6
Shadow Hawkins on Wednesday, 11 June 2008 20:55:22 I just fooled myself by blocking neighbor discovery messages to/from "universe", i.e. they were only allowed to/from the tunnel endpoint and to/from my LAN. This didn't seem to be enough.
ND messages are sent from a link-local address, not from a global address, and are sent to a link-local multicast group. You should not need to block them, the link-local addresses are unroutable anyhow.
So I currently have all neighbor adv icmp types accepted. One thing is I'm not sure which ones I definitely need
Don't bother. The specs are explicitly designed to make sure it's a non-issue.
--Juliusz
Draft: Firewalling Considerations for IPv6
Jeroen Massar on Sunday, 11 January 2004 12:30:46
Pekka likes to update his drafts ;)
Next to that all these icmp's are link-local (fe80::) sourced and have a destination to either a link-local or multicast address.
If you really want to closedown your box just default deny tcp/udp, opening up what you want to allow and rate limit ICMPv6.
Note also that if you block ICMPv6 you might also block Multicast support ;)
Re: Draft: Firewalling Considerations for IPv6
Shadow Hawkins on Sunday, 11 January 2004 13:32:22
Aah, the old link is dead _because_ there's a newer version... and the old one moved to an "old-versions"-subdir. For some more of Pekka's IETF drafts just browse to
http://www.netcore.fi/pekkas/ietf/
Greets,
Wolfgang
Posting is only allowed when you are logged in. |