Blog index > Archives > IPv6 in the Fast Lane
avatar

CISCO IOS Firewall For IPv6

Tuesday, September 27th, 2011

This is the most simple Firewall you may find for IPv6.

It is both trivial to configure and powerful enough to provide the basic security that you need.

For a more powerful and detailed configuration with CISCO IOS, you may be interested in CISCO IOS Zone-based Firewall for IPv6.

Other details about these Firewalls include…
Read the rest of this entry »

No Comments
avatar

Recommendation for IPv6 Stateful Firewalls

Monday, September 26th, 2011

IPv6 provides an address for each node on the Internet. So NAT has no more use for address depletion.

NAT also provides some basic security. But NAT as any stateful device can also be the target for DoS attacks. And any NAT device within a network provides an easily exploited opportunity for undetected Man In The Middle (MITM) attacks. Only End-to-End security offers protection from exploits related with ARP or ND+MLD where End-to-End security is likely only possible with IPv6. This does not need to be IPsec.

A RFC was written to explain how to get the security benefits provided by NAT without NAT.
This is rfc4864 Local Node Protection

Read the rest of this entry »

No Comments
avatar

IPv6 restoring End to End connectivity, is it a myth ?

Saturday, September 10th, 2011

Introduction

The IPv6 main drivers for adoption are a large address space which does not require any Network Address Translation (NAT) anymore, a simpler header which should permit a more efficient switching and the Extension headers which allow adding any service at the Network Layer rather than the Transport Layer when needed. A great example of an application which benefits from the Extension headers is the IP Mobility which has been greatly optimized with IPv6.

The eradication of NAT is supposed to get us back to the Internet the way it was designed at the origin, before NAT was introduced as a workaround for address depletion. It will restore the end to end connectivity which will permit IPSec and Peer-to-Peer applications. This is a real benefit in terms of performances and new features for many Voice or Conferencing applications for instance where we will not have to communicate through a server like Skype.

NAT and Transition

But many people still resist against this change because they Read the rest of this entry »

1 Comment
avatar

Secure the IPv6 Network Access with SEcure Neighbor Discovery (SEND, rfc3971 and CGA, rfc3972)

Tuesday, August 30th, 2011

Introduction

IPv6 Nodes on the same link use NDP (rfc4861) to discover each other’s presence and link-layer addresses, to find routers, and to maintain reachability information about the paths to active neighbors.  Both hosts and routers use NDP.  Its functions include Neighbor Discovery (ND), Router Discovery (RD), Address Autoconfiguration, Address Resolution, Neighbor Unreachability Detection (NUD), Duplicate Address Detection (DAD), and Redirection.

If not secured, NDP is vulnerable to various attacks. SEND specifies security mechanisms for NDP.  Unlike those in the original NDP specifications, these mechanisms do not use IPsec.

Read the rest of this entry »

No Comments