TableOfContents

Development and testing IPv6 firewalls and IPv6 security services

From the security point of view the IPv6 and related protocol elements can be categorised

• Security features of IPv6 protocol
• Security features of obligatory protocol elements of IPv6 e.g. IPSec
• Security features of additional protocol elements of IPv6 e.g. SEND
• IPv6 firewalls
• IPv6 IDS/IPS systems

The project investigated the IPv6 firewalls, but sake of completness we put other IPv6 security elements in context.

IPv6 protocol and security

Documents to IPv6 security

• Overview of security of IPv6 protocol
  • [attachment:IPv6firewallsandSecurity/6net_ipv6security.pdf 6NET document about security of IPv6] - Authors: János Mohácsi, Georgios Koutepas, Athannasios Liakopoulos, Eric Vyncke, Carlos Friacas - in English
  • [:Áttekintés az IPv6 biztonságáról: Overview of security of IPv6 protocol] - Authors: János Mohácsi - in Hungarian
• IETF RFC and drafts related to security of IPv6 protocol

  • [http://www.ietf.org/internet-drafts/draft-ietf-v6ops-security-overview-06.txt IPv6 security overview draft] - Authors: Elwyn Davies, S. Krishnan, P. Savola

  • [http://www.ietf.org/rfc/rfc3964.txt Security Considerations for 6to4] - Authors: P. Savola, C. Patel

  • [http://www.ietf.org/internet-drafts/draft-ietf-v6ops-ipsec-tunnels-05.txt Using IPsec to Secure IPv6-in-IPv4 Tunnels] - Authors: R. Graveman, M. Parthasarathy. P. Savola, H. Tschofenig

  • [http://www.ietf.org/internet-drafts/draft-ietf-v6ops-icmpv6-filtering-recs-03.txt Recommendations for Filtering ICMPv6 Messages in Firewalls ]- Authors: E. Davies, J. Mohacsi

• Presentation about IPv6 security

  • [http://www.6diss.org/workshops/see/security.pdf IPv6 Security presentation ]- 6DISS workshop Kopaonik, Serbia March 2006 - Presented:

  • [http://www.6diss.org/workshops/saf/security.pdf IPv6 Security presentation]- 6DISS workshop Port Elizabeth, South-Afric, September 2005 - Presented: János Mohácsi

  • [http://www.terena.nl/events/tnc2006/programme/presentations/show.php?pres_id=190 The Security Implications of IPv6 ] - Terena Networking Conference 2006, Catania, Italy - Presented: Mike Warfield

  • [http://www.seanconvery.com/Internet2.pdf IPv6 Dual Stack Security Considerations] - October 2004, Internet2 Fall 2004, IPv6 Security Panel - D. Miller, S. Convery,

  • [http://www.garr.it/conf_05/slides/j_mohacsi-IPv6_sec.pdf IPv6 Security: New threats and countermeasures] - 3rd 6NET workshop & GARR 2005 conference, Pisa, Italy - Presented: János Mohácsi

  • [http://tnc2004.terena.nl/programme/presentations/show.php?pres_id=115 Security of IPv6: from a firewalls point of view] - Terena Networking Conference 2004, Rhodes, Greece - Presented: János Mohácsi

  • [http://www.6net.org/events/workshop-2003/marin.pdf What are the new challenges in securing IPv6 networks?] 2nd 6NET workshop, Terena Networking Conference 2003, Zagreb, Croatia - Presented: Eric Marin

  • [http://ipv6.niif.hu/~mohacsi/downloads/athens_tf_ngn_ipv6_firewalls.pdf IPv6 firewalls] - TF-NGN meeting October 2001, Athens - Presented: János Mohácsi

• Other articles:

  • [http://www.cs.columbia.edu/~smb/papers/v6worms.pdf Worm Propagation Strategies in an IPv6 Internet] ;login:, February 2006 - Authors: Steven M. Bellovin, Angelos Keromytis, and Bill Cheswick

  • [http://www.cs.columbia.edu/~smb/papers/tarp/tarp.html Transient Addressing for Related Processes: Improved Firewalling by Using IPV6 and Multiple Addresses per Host] - Proceedings of the Eleventh Usenix Security Symposium, August 2001, - Authros: Peter M. Gleitz and Steven M. Bellovin

Documents related to IPSec

Documents related to SEND

IPv6 firewalls

The IPv6 firewalls started to appear in the operating system in 2001, but in usable form around 2004. In out project we tested the freely or easily available firewalls (e.g. built-in to routers. We wanted to test some commercially available firewalls like Checkpoint but did not get any useful answer.

We tested IPv6 firewalls [:Tüzfal_teszt_környezet: systematically], in order to verify their capabilities and they are fullfil their roles.

Anchor(BSD_pf)

BSD pf firewall

The pf packet filter firewall developed for OpenBSD supports IPv6 since 2002 óta. Since December 2004 all the freely available BSD operating system (FreeBSD, NetBSD, OpenBSD) contains pf packet filter firewall, which is supporting stateful packet inspection for easier, more correct and more powerful configuration.

The tutorials developed during the project are available here:

• [attachment:IPv6firewallsandSecurity/ipv6_pf.pdf Introduction to IPv6 usage of BSD pf ]
• BSD pf configuration examples
  • [attachment:IPv6firewallsandSecurity/pf_boot_client.conf.txt Minimal DHCP/SLAAC boot client PF file - supporting IPv6 autoconfiguration, but nothing else is supported - not for general communication, but booting]
  • [attachment:IPv6firewallsandSecurity/pf_simple_client.conf.txt client pf.conf file - simple IPv6 client communication]
  • [attachment:IPv6firewallsandSecurity/pf_simple_firewall_noserver.conf.txt simple one-way firewall system - basic IPv6 communication enabled to outside from protected network; into the protected network only the answers can enter]
  • [attachment:IPv6firewallsandSecurity/pf_simple_firewall_http_ssh_server.conf.txt slightly more complex firewall system - basic IPv6 commincation enabled to outside from protected network; only HTTP and SSH server communication is allowed into the protected network beside the answers initiated by the clients inside the protected network]

Anchor(BSD_ip6fw)

FreeBSD ip6fw firewall

The ipfw firewall system, which was originally developed for BSDI, and completely rewritten from scratch to FreeBSD, was ported to IPv6 [http://www.kame.net KAME projekt] under the name . This IPv6 ported firewall system was integrated completely to FreeBSD. Sample configuration files for IPv6 application can be found /etc/rc.firewall6  file. Despite its integration the ip6fw does not support stateful packet inspection (ipfw supports stateful packet inspection). Thanks to the latest development in FreeBSD 6.1 IPv6 rules can be set up with ipfw.

• [attachment:IPv6firewallsandSecurity/ipv6_ip6fw.pdf Introduction to usage of FreeBSD ip6fw]
• Sample FreeBSD ip6fw configuration files
  • [attachment:IPv6firewallsandSecurity/ip6fw_client.conf.txt client ip6fw.conf file - basic IPv6 communication support on a host]
  • [attachment:IPv6firewallsandSecurity/ip6fw_simple.conf.txt simple firewall systems - basic IPv6 communication supported from the protected network, the firewall act as DNS and NTP server]
• [:Ip6fwVM: ip6fw test in virtual environment]

Anchor(linux_ip6tables)

Linux Netfilter/ip6tables firewall

Linux kernel since version 2.6.16 supports IPv6 connection tracking operation. It was implemented separately from the ip connection tracking. This caused some deficiency: There was no support for NAT in NF connection tracking. Linux kernel since version 2.6.20 supports the NAT module for NF connection tracking thanks to work of József Kadlecsik. Kernel configuration for NF connection tracking:

1. Switch of the default connection tracking module (IP_NF_CONNTRACK)
   • Connection tracking (required for masq/NAT)
   otherwise you cannot select Layer-3 independent connection tracking module (NF_CONNTRACK)
   • Layer 3 Independent Connection tracking (EXPERIMENTAL)
2. Compile in the kernel the following modules:
   • ip6table_filter - firewall filter module
   • nf_conntrack_ipv6 - IPv6 connection tracking
   • nf_conntrack_ftp - FTP helper

.

• Introduction to usage of Netfilter in IPv6 environment
  • [attachment:IPv6firewallsandSecurity/ip6tables.conf.txt Sample Netfilter/ip6tables configuration file with IPv6 usage]

SecureFilter 2.3

As a result of the project KFKI-RMKI SzHK developed new version of SecureFilter firewall system (v2.3), which supports IPv6 also next to IPv4.

The latest version of SecureFilter and related documents are available at the software project page: http://www.kfki.hu/cnc/projekt/securefilter/

IPv6 usage of Cisco ACL

The Cisco IOS 12.2(2) T train and alter or 12.3(1) Mainline and later or IOS 12.2(14)S service provider train and later supports IPv6 packet filtering. At the level of packets there are two type of filtering possible:

• Standard ACL filtering - only IPv6 addresses can be used for filtering
• Extended ACL filtering - protocol fileds and application ports can be used next to IPv6 addresses

It is possible to simulate the stateful packet inspection with reflexive ACLs. Handling of IPv6 FTP connections are supported after 12.3(11)T version - with help of ftp inspection - since the content of ipv6 ftp packet has to be parsed this feature is implemented in software - supported on SW platforms.

• [attachment:IPv6firewallsandSecurity/ipv6_ciscoacl.pdf Introduction to IPv6 Cisco ACLs]
• [attachment:IPv6firewallsandSecurity/ipv6_ciscoacl_cisco.pdf Cisco presentation about IPv6 Cisco ACLs]

Note! The Cisco ACLs are using a very strange implicit rule:

• If there is NO deny rule, then implicitly enables the Neighbor Discovery packets

  •    permit icmp any any nd-na
       permit icmp any any nd-ns
       deny ipv6 any any

• If there is a deny rule, then we HAVE to explicitly enable Neighbor Discovery packets in the rules!

Microsoft Windows XP (SP2 and later) & Windows 2003 firewall

Microsoft Windows XP SP2 and later and Windows 2003 server systems have built-in firewalls, which can filter incoming packets - but only incoming packets. It is using the mostly same rules for IPv6 as it is used for IPv4- helping seting up consistent firewall rules. An additional options for IPv6, your have to separately enable IPv6 PATH-MTU-Discovery on ICMP tab.

• [attachment:IPv6firewallsandSecurity/ipv6_windowsxp_firewall.pdf Introduction to Windows XP firewall in IPv6 environment]

Warning! Windows firewall cannot filter packets outgoing from the protected networks/hosts - on hosts it can be blocked at process level security center.

Note! Other windows firewalls (e.g. Kerio, ZoneAlarm etc.) does not support IPv6. It is time to support it.

IPv6 Intrusion Detection/Prevention systems

• [attachment:IPv6firewallsandSecurity/IDS-and-IPv6.pdf IPv6 challenges for IDS ]

• [http://www.sikurezza.org/ml/12_02/msg00178.html Experimental IPv6 decoder for SNORT]

• [http://www.snort.org/archive-5-1312.html SNORT IPv6 support]