Contents
Development and testing IPv6 firewalls and IPv6 security services
From the security point of view the IPv6 and related protocol elements can be categorised
- Security features of IPv6 protocol
- Security features of obligatory protocol elements of IPv6 e.g. IPSec
- Security features of additional protocol elements of IPv6 e.g. SEND
- IPv6 firewalls
- IPv6 IDS/IPS systems
The project investigated the IPv6 firewalls, but sake of completness we put other IPv6 security elements in context.
IPv6 protocol and security
Documents to IPv6 security
- Overview of security of IPv6 protocol
6NET document about security of IPv6 - Authors: János Mohácsi, Georgios Koutepas, Athannasios Liakopoulos, Eric Vyncke, Carlos Friacas - in English
Overview of security of IPv6 protocol - Authors: János Mohácsi - in Hungarian
- IETF RFC and drafts related to security of IPv6 protocol
IPv6 security overview draft - Authors: Elwyn Davies, S. Krishnan, P. Savola
Security Considerations for 6to4 - Authors: P. Savola, C. Patel
Using IPsec to Secure IPv6-in-IPv4 Tunnels - Authors: R. Graveman, M. Parthasarathy. P. Savola, H. Tschofenig
Recommendations for Filtering ICMPv6 Messages in Firewalls- Authors: E. Davies, J. Mohacsi
- Presentation about IPv6 security
IPv6 Security presentation- 6DISS workshop Kopaonik, Serbia March 2006 - Presented:
IPv6 Security presentation- 6DISS workshop Port Elizabeth, South-Afric, September 2005 - Presented: János Mohácsi
The Security Implications of IPv6 - Terena Networking Conference 2006, Catania, Italy - Presented: Mike Warfield
IPv6 Dual Stack Security Considerations - October 2004, Internet2 Fall 2004, IPv6 Security Panel - D. Miller, S. Convery,
IPv6 Security: New threats and countermeasures - 3rd 6NET workshop & GARR 2005 conference, Pisa, Italy - Presented: János Mohácsi
Security of IPv6: from a firewalls point of view - Terena Networking Conference 2004, Rhodes, Greece - Presented: János Mohácsi
What are the new challenges in securing IPv6 networks? 2nd 6NET workshop, Terena Networking Conference 2003, Zagreb, Croatia - Presented: Eric Marin
IPv6 firewalls - TF-NGN meeting October 2001, Athens - Presented: János Mohácsi
- Other articles:
Worm Propagation Strategies in an IPv6 Internet ;login:, February 2006 - Authors: Steven M. Bellovin, Angelos Keromytis, and Bill Cheswick
Transient Addressing for Related Processes: Improved Firewalling by Using IPV6 and Multiple Addresses per Host - Proceedings of the Eleventh Usenix Security Symposium, August 2001, - Authros: Peter M. Gleitz and Steven M. Bellovin
Documents related to IPSec
Documents related to SEND
IPv6 firewalls
The IPv6 firewalls started to appear in the operating system in 2001, but in usable form around 2004. In out project we tested the freely or easily available firewalls (e.g. built-in to routers. We wanted to test some commercially available firewalls like Checkpoint but did not get any useful answer.
We tested IPv6 firewalls systematically, in order to verify their capabilities and they are fullfil their roles.
BSD pf firewall
The pf packet filter firewall developed for OpenBSD has been supporting IPv6 since 2002. Since December 2004 all the freely available BSD operating system (FreeBSD, NetBSD, OpenBSD) contains pf packet filter firewall, which is supporting stateful packet inspection for easier, more correct and more powerful configuration.
The tutorials developed during the project are available here:
- BSD pf configuration examples
FreeBSD ip6fw firewall
The ipfw firewall system, which was originally developed for BSDI, and completely rewritten from scratch to FreeBSD, was ported to IPv6 KAME projekt under the name . This IPv6 ported firewall system was integrated completely to FreeBSD. Sample configuration files for IPv6 application can be found /etc/rc.firewall6 file. Despite its integration the ip6fw does not support stateful packet inspection (ipfw supports stateful packet inspection). Thanks to the latest development in FreeBSD 6.1 IPv6 rules can be set up with ipfw.
- Sample FreeBSD ip6fw configuration files
Linux Netfilter/ip6tables firewall
Linux kernel since version 2.6.16 supports IPv6 connection tracking operation. It was implemented separately from the ip connection tracking. This caused some deficiency: There was no support for NAT in NF connection tracking. Linux kernel since version 2.6.20 supports the NAT module for NF connection tracking thanks to work of József Kadlecsik. Kernel configuration for NF connection tracking:
- Switch of the default connection tracking module (IP_NF_CONNTRACK)
- Connection tracking (required for masq/NAT)
- Layer 3 Independent Connection tracking (EXPERIMENTAL)
- Compile in the kernel the following modules:
- ip6table_filter - firewall filter module
- nf_conntrack_ipv6 - IPv6 connection tracking
- nf_conntrack_ftp - FTP helper
.
- Introduction to usage of Netfilter in IPv6 environment
SecureFilter 2.3
As a result of the project KFKI-RMKI SzHK developed new version of SecureFilter firewall system (v2.3), which supports IPv6 also next to IPv4.
The latest version of SecureFilter and related documents are available at the software project page: http://www.kfki.hu/cnc/projekt/securefilter/
IPv6 usage of Cisco ACL
The Cisco IOS 12.2(2) T train and alter or 12.3(1) Mainline and later or IOS 12.2(14)S service provider train and later supports IPv6 packet filtering. At the level of packets there are two type of filtering possible:
- Standard ACL filtering - only IPv6 addresses can be used for filtering
- Extended ACL filtering - protocol fileds and application ports can be used next to IPv6 addresses
It is possible to simulate the stateful packet inspection with reflexive ACLs. Handling of IPv6 FTP connections are supported after 12.3(11)T version - with help of ftp inspection - since the content of ipv6 ftp packet has to be parsed this feature is implemented in software - supported on SW platforms.
Note! The Cisco ACLs are using a very strange implicit rule:
- If there is NO deny rule, then implicitly enables the Neighbor Discovery packets
permit icmp any any nd-na permit icmp any any nd-ns deny ipv6 any any
- If there is a deny rule, then we HAVE to explicitly enable Neighbor Discovery packets in the rules!
Microsoft Windows XP (SP2 and later) & Windows 2003 firewall
Microsoft Windows XP SP2 and later and Windows 2003 server systems have built-in firewalls, which can filter incoming packets - but only incoming packets. It is using the mostly same rules for IPv6 as it is used for IPv4- helping seting up consistent firewall rules. An additional options for IPv6, your have to separately enable IPv6 PATH-MTU-Discovery on ICMP tab.
Warning! Windows firewall cannot filter packets outgoing from the protected networks/hosts - on hosts it can be blocked at process level security center.
Note! Other windows firewalls (e.g. Kerio, ZoneAlarm etc.) does not support IPv6. It is time to support it.