firewall-wizards January 2011 archive
Main Archive Page > Month Archives  > firewall-wizards archives
firewall-wizards: Re: [fw-wiz] IPv6

Re: [fw-wiz] IPv6

From: Dave Piscitello <dave_at_nospam>
Date: Thu Jan 06 2011 - 14:43:33 GMT

Hash: SHA1


The problem is much bigger than a mandate of this kind can solve.
Mandates typically have a flag day or deployment horizon and there's at
least an implication that the technology will be available to make the

I have 2 different vendor firewalls here. Neither supports IPv6. One
treats DNS EDNS0 packets as malformed and blocks them and that's a
problem not only for AAAA records but DNSSEC as well. Few vendors have
as complete a set of attack signatures for IPv6 as they do for IPv4.
Many access ISPs don't offer IPv6 but using tunneling services like
Hurricane Electric are simple, educational, and entertaining but I'm not
sure they are the right or scalable solution. Last time I checked, only
a handful of the top 100 web sites had AAAA records associated with
them. And honestly, what percentage of IT out there could renumber and
properly route IPv6 if you asked them to do so today. Let's be honest,
if we were to post an IPv6 quiz on this list, how many would pass?

Few organizations can deploy security measures for IPv6 today that are
equivalent to what they have today with IPv4 across the board. And so
far as I can tell from surveys and inquiries, (1) very few people are
willing to make this trade off and (2) vendors are unwilling to
implement IPv6 in this lame economy without a strong indication that
they'll get a return on investment from the effort.

If ever the phrase "living on borrowed time" applied to the Internet, it
might be now. Many organizations are approaching a time when they may
have to accept a weaker security deployment in order to add systems
because they won't be able to obtain IPv4 addresses.

On 1/4/2011 1:18 AM, Darren Reed wrote:
> Paul D. Robertson wrote:
>> Is anyone doing anything interesting with v6 and firewalls?
>> We're supposedly coming up on the year that v6 will break
>> out, and most organizations I know still don't even
>> route it.
> There needs to be more noise and a lot of it from the DoD and other US
> government
> departments saying that they won't do any future business from anyone
> without an IPv6
> reachable website before anyone will even begin to take it seriously...
> I'm trying to push
> it internally, but sleeping giants move slowly...
> Darren
> _______________________________________________
> firewall-wizards mailing list
Version: GnuPG v1.4.9 (MingW32)
Comment: Using GnuPG with Mozilla -


firewall-wizards mailing list