firewall-wizards January 2011 archive
Main Archive Page > Month Archives  > firewall-wizards archives
firewall-wizards: Re: [fw-wiz] IPv6

Re: [fw-wiz] IPv6

From: Dave Piscitello <dave_at_nospam>
Date: Thu Jan 06 2011 - 14:43:33 GMT
To: firewall-wizards@listserv.icsalabs.com

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Darren,

The problem is much bigger than a mandate of this kind can solve.
Mandates typically have a flag day or deployment horizon and there's at
least an implication that the technology will be available to make the
change.

I have 2 different vendor firewalls here. Neither supports IPv6. One
treats DNS EDNS0 packets as malformed and blocks them and that's a
problem not only for AAAA records but DNSSEC as well. Few vendors have
as complete a set of attack signatures for IPv6 as they do for IPv4.
Many access ISPs don't offer IPv6 but using tunneling services like
Hurricane Electric are simple, educational, and entertaining but I'm not
sure they are the right or scalable solution. Last time I checked, only
a handful of the top 100 web sites had AAAA records associated with
them. And honestly, what percentage of IT out there could renumber and
properly route IPv6 if you asked them to do so today. Let's be honest,
if we were to post an IPv6 quiz on this list, how many would pass?

Few organizations can deploy security measures for IPv6 today that are
equivalent to what they have today with IPv4 across the board. And so
far as I can tell from surveys and inquiries, (1) very few people are
willing to make this trade off and (2) vendors are unwilling to
implement IPv6 in this lame economy without a strong indication that
they'll get a return on investment from the effort.

If ever the phrase "living on borrowed time" applied to the Internet, it
might be now. Many organizations are approaching a time when they may
have to accept a weaker security deployment in order to add systems
because they won't be able to obtain IPv4 addresses.

On 1/4/2011 1:18 AM, Darren Reed wrote:
> Paul D. Robertson wrote:
>> Is anyone doing anything interesting with v6 and firewalls?
>> We're supposedly coming up on the year that v6 will break
>> out, and most organizations I know still don't even
>> route it.
>>
>
> There needs to be more noise and a lot of it from the DoD and other US
> government
> departments saying that they won't do any future business from anyone
> without an IPv6
> reachable website before anyone will even begin to take it seriously...
> I'm trying to push
> it internally, but sleeping giants move slowly...
>
> Darren
>
> _______________________________________________
> firewall-wizards mailing list
> firewall-wizards@listserv.icsalabs.com
> https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQEcBAEBAgAGBQJNJdUVAAoJEDa3DI8IpP3/K3cH/0sA+RVPiTzGc6hZ31/zJ/zw
iIER9HvWQRZ9kj6D2REfYf2oWVnKSkQHAv+QHGxHAD4MYIY2g9X8qly6hJJkm8hQ
e9KsAYqipSHgtX0+pMRMAhZ995LmI3bBvVlcHgQYJ5eQ92iadCA7Ihpo3qJbEEfM
f8Kzf6By4OfSfZax+iBSBAqfezDqLEWeLpn2nx9IwPuEeu2x+VYLS9H5QlJmke+E
ey636zj+xbEjDj03zhelgV4kGnHU6cTCmBi3Nwdg7z16jUldz1kXJ9Ww7d1cR7oL
fDOZtUNPLQeW7AnQJGjhdoTcTOmBrCMwasze85kVSliGFKcSFbRIzUHjxqjzB5s=
=1lec
-----END PGP SIGNATURE-----

_______________________________________________
firewall-wizards mailing list
firewall-wizards@listserv.icsalabs.com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards