Development and testing IPv6 firewalls and IPv6 security services

From the security point of view the IPv6 and related protocol elements can be categorised

Security features of IPv6 protocol
Security features of obligatory protocol elements of IPv6 e.g. IPSec
Security features of additional protocol elements of IPv6 e.g. SEND
IPv6 firewalls
IPv6 IDS/IPS systems

The project investigated the IPv6 firewalls, but sake of completness we put other IPv6 security elements in context.

IPv6 protocol and security

Documents to IPv6 security

Overview of security of IPv6 protocol
- 6NET document about security of IPv6 - Authors: János Mohácsi, Georgios Koutepas, Athannasios Liakopoulos, Eric Vyncke, Carlos Friacas - in English
- Overview of security of IPv6 protocol - Authors: János Mohácsi - in Hungarian
IETF RFC and drafts related to security of IPv6 protocol
- IPv6 security overview draft - Authors: Elwyn Davies, S. Krishnan, P. Savola
- Security Considerations for 6to4 - Authors: P. Savola, C. Patel
- Using IPsec to Secure IPv6-in-IPv4 Tunnels - Authors: R. Graveman, M. Parthasarathy. P. Savola, H. Tschofenig
- Recommendations for Filtering ICMPv6 Messages in Firewalls- Authors: E. Davies, J. Mohacsi
Presentation about IPv6 security
- IPv6 Security presentation- 6DISS workshop Kopaonik, Serbia March 2006 - Presented:
- IPv6 Security presentation- 6DISS workshop Port Elizabeth, South-Afric, September 2005 - Presented: János Mohácsi
- The Security Implications of IPv6 - Terena Networking Conference 2006, Catania, Italy - Presented: Mike Warfield
- IPv6 Dual Stack Security Considerations - October 2004, Internet2 Fall 2004, IPv6 Security Panel - D. Miller, S. Convery,
- IPv6 Security: New threats and countermeasures - 3rd 6NET workshop & GARR 2005 conference, Pisa, Italy - Presented: János Mohácsi
- Security of IPv6: from a firewalls point of view - Terena Networking Conference 2004, Rhodes, Greece - Presented: János Mohácsi
- What are the new challenges in securing IPv6 networks? 2nd 6NET workshop, Terena Networking Conference 2003, Zagreb, Croatia - Presented: Eric Marin
- IPv6 firewalls - TF-NGN meeting October 2001, Athens - Presented: János Mohácsi
Other articles:
- Worm Propagation Strategies in an IPv6 Internet ;login:, February 2006 - Authors: Steven M. Bellovin, Angelos Keromytis, and Bill Cheswick
- Transient Addressing for Related Processes: Improved Firewalling by Using IPV6 and Multiple Addresses per Host - Proceedings of the Eleventh Usenix Security Symposium, August 2001, - Authros: Peter M. Gleitz and Steven M. Bellovin

Documents related to IPSec

Documents related to SEND

IPv6 firewalls

The IPv6 firewalls started to appear in the operating system in 2001, but in usable form around 2004. In out project we tested the freely or easily available firewalls (e.g. built-in to routers. We wanted to test some commercially available firewalls like Checkpoint but did not get any useful answer.

We tested IPv6 firewalls systematically, in order to verify their capabilities and they are fullfil their roles.

BSD pf firewall

The pf packet filter firewall developed for OpenBSD has been supporting IPv6 since 2002. Since December 2004 all the freely available BSD operating system (FreeBSD, NetBSD, OpenBSD) contains pf packet filter firewall, which is supporting stateful packet inspection for easier, more correct and more powerful configuration.

The tutorials developed during the project are available here:

FreeBSD ip6fw firewall

The ipfw firewall system, which was originally developed for BSDI, and completely rewritten from scratch to FreeBSD, was ported to IPv6 KAME projekt under the name . This IPv6 ported firewall system was integrated completely to FreeBSD. Sample configuration files for IPv6 application can be found /etc/rc.firewall6 file. Despite its integration the ip6fw does not support stateful packet inspection (ipfw supports stateful packet inspection). Thanks to the latest development in FreeBSD 6.1 IPv6 rules can be set up with ipfw.

Linux Netfilter/ip6tables firewall

Linux kernel since version 2.6.16 supports IPv6 connection tracking operation. It was implemented separately from the ip connection tracking. This caused some deficiency: There was no support for NAT in NF connection tracking. Linux kernel since version 2.6.20 supports the NAT module for NF connection tracking thanks to work of József Kadlecsik. Kernel configuration for NF connection tracking:

Switch of the default connection tracking module (IP_NF_CONNTRACK)
- Connection tracking (required for masq/NAT)
otherwise you cannot select Layer-3 independent connection tracking module (NF_CONNTRACK)
- Layer 3 Independent Connection tracking (EXPERIMENTAL)
Compile in the kernel the following modules:
- ip6table_filter - firewall filter module
- nf_conntrack_ipv6 - IPv6 connection tracking
- nf_conntrack_ftp - FTP helper

Introduction to usage of Netfilter in IPv6 environment
- Sample Netfilter/ip6tables configuration file with IPv6 usage

SecureFilter 2.3

As a result of the project KFKI-RMKI SzHK developed new version of SecureFilter firewall system (v2.3), which supports IPv6 also next to IPv4.

The latest version of SecureFilter and related documents are available at the software project page: http://www.kfki.hu/cnc/projekt/securefilter/

IPv6 usage of Cisco ACL

The Cisco IOS 12.2(2) T train and alter or 12.3(1) Mainline and later or IOS 12.2(14)S service provider train and later supports IPv6 packet filtering. At the level of packets there are two type of filtering possible:

Standard ACL filtering - only IPv6 addresses can be used for filtering
Extended ACL filtering - protocol fileds and application ports can be used next to IPv6 addresses

It is possible to simulate the stateful packet inspection with reflexive ACLs. Handling of IPv6 FTP connections are supported after 12.3(11)T version - with help of ftp inspection - since the content of ipv6 ftp packet has to be parsed this feature is implemented in software - supported on SW platforms.

Note! The Cisco ACLs are using a very strange implicit rule:

If there is NO deny rule, then implicitly enables the Neighbor Discovery packets

   permit icmp any any nd-na
   permit icmp any any nd-ns
   deny ipv6 any any

If there is a deny rule, then we HAVE to explicitly enable Neighbor Discovery packets in the rules!

Microsoft Windows XP (SP2 and later) & Windows 2003 firewall

Microsoft Windows XP SP2 and later and Windows 2003 server systems have built-in firewalls, which can filter incoming packets - but only incoming packets. It is using the mostly same rules for IPv6 as it is used for IPv4- helping seting up consistent firewall rules. An additional options for IPv6, your have to separately enable IPv6 PATH-MTU-Discovery on ICMP tab.

Introduction to Windows XP firewall in IPv6 environment

Warning! Windows firewall cannot filter packets outgoing from the protected networks/hosts - on hosts it can be blocked at process level security center.

Note! Other windows firewalls (e.g. Kerio, ZoneAlarm etc.) does not support IPv6. It is time to support it.

IPv6 Intrusion Detection/Prevention systems

Campus6: IPv6firewallsandSecurity_eng (last edited 2011-10-24 14:03:27 by mohacsi)

-  ⇤ ← Revision 1 as of 2007-03-05 16:56:02 → 
  Size: 10840
  Editor: mohacsi
  Comment:
+   ← Revision 5 as of 2011-10-24 14:03:27 → ⇥
  Size: 10797
  Editor: mohacsi
  Comment: update URIs
-Deletions are marked like this.
+Additions are marked like this.
 Line 3:
-[[TableOfContents]]
+<<TableOfContents>>
 Line 19:
-   * [attachment:IPv6firewallsandSecurity:6net_ipv6security.pdf 6NET document about security of IPv6] - Authors: János Mohácsi, Georgios Koutepas, Athannasios Liakopoulos, Eric Vyncke, Carlos Friacas - in English
   * [:Áttekintés az IPv6 biztonságáról: Overview of security of IPv6 protocol] - Authors: János Mohácsi  - in Hungarian
+   * [[attachment:IPv6firewallsandSecurity/6net_ipv6security.pdf|6NET document about security of IPv6]] - Authors: János Mohácsi, Georgios Koutepas, Athannasios Liakopoulos, Eric Vyncke, Carlos Friacas - in English
   * [[Áttekintés_az_IPv6_biztonságáról| Overview of security of IPv6 protocol]] - Authors: János Mohácsi  - in Hungarian
 Line 22:
-   * [http://www.ietf.org/internet-drafts/draft-ietf-v6ops-security-overview-06.txt IPv6 security overview draft] - Authors: Elwyn Davies, S. Krishnan, P. Savola
   * [http://www.ietf.org/rfc/rfc3964.txt Security Considerations for 6to4] - Authors: P. Savola, C. Patel
   * [http://www.ietf.org/internet-drafts/draft-ietf-v6ops-ipsec-tunnels-05.txt Using IPsec to Secure IPv6-in-IPv4 Tunnels] - Authors: R. Graveman, M. Parthasarathy. P. Savola, H. Tschofenig
   * [http://www.ietf.org/internet-drafts/draft-ietf-v6ops-icmpv6-filtering-recs-03.txt Recommendations for Filtering ICMPv6 Messages in Firewalls ]- Authors: E. Davies, J. Mohacsi
+   * [[http://tools.ietf.org/html/rfc4942|IPv6 security overview draft]] - Authors: Elwyn Davies, S. Krishnan, P. Savola
   * [[http://tools.ietf.org/html/rfc3964|Security Considerations for 6to4]] - Authors: P. Savola, C. Patel
   * [[http://tools.ietf.org/html/rfc4891|Using IPsec to Secure IPv6-in-IPv4 Tunnels]] - Authors: R. Graveman, M. Parthasarathy. P. Savola, H. Tschofenig
   * [[http://tools.ietf.org/html/rfc4890|Recommendations for Filtering ICMPv6 Messages in Firewalls ]]- Authors: E. Davies, J. Mohacsi
 Line 27:
-   * [http://www.6diss.org/workshops/see/security.pdf IPv6 Security presentation ]- 6DISS workshop Kopaonik, Serbia March 2006  - Presented:
   * [http://www.6diss.org/workshops/saf/security.pdf IPv6 Security presentation]- 6DISS workshop Port Elizabeth, South-Afric, September 2005 - Presented: János Mohácsi
   * [http://www.terena.nl/events/tnc2006/programme/presentations/show.php?pres_id=190 The Security Implications of IPv6 ] - Terena Networking Conference 2006, Catania, Italy - Presented: Mike Warfield
   * [http://www.seanconvery.com/Internet2.pdf IPv6 Dual Stack Security Considerations] - October 2004, Internet2 Fall 2004, IPv6 Security Panel - D. Miller, S. Convery,
   * [http://www.garr.it/conf_05/slides/j_mohacsi-IPv6_sec.pdf IPv6 Security: New threats and countermeasures] - 3rd 6NET workshop & GARR 2005 conference, Pisa, Italy - Presented: János Mohácsi
   * [http://tnc2004.terena.nl/programme/presentations/show.php?pres_id=115 Security of IPv6: from a firewalls point of view] - Terena Networking Conference 2004, Rhodes, Greece - Presented: János Mohácsi
   * [http://www.6net.org/events/workshop-2003/marin.pdf What are the new challenges in securing IPv6 networks?] 2nd 6NET workshop, Terena Networking Conference 2003, Zagreb, Croatia - Presented: Eric Marin
   * [http://ipv6.niif.hu/~mohacsi/downloads/athens_tf_ngn_ipv6_firewalls.pdf IPv6 firewalls] - TF-NGN meeting October 2001, Athens - Presented: János Mohácsi
+   * [[http://www.6diss.org/workshops/see-1/security.pdf|IPv6 Security presentation ]]- 6DISS workshop Kopaonik, Serbia March 2006  - Presented:
   * [[http://www.6diss.org/workshops/saf/security.pdf|IPv6 Security presentation]]- 6DISS workshop Port Elizabeth, South-Afric, September 2005 - Presented: János Mohácsi
   * [[https://www.terena.org/events/tnc2006/programme/presentations/show1c91.html?pres_id=190|The Security Implications of IPv6 ]] - Terena Networking Conference 2006, Catania, Italy - Presented: Mike Warfield
   * [[http://www.seanconvery.com/Internet2.pdf|IPv6 Dual Stack Security Considerations]] - October 2004, Internet2 Fall 2004, IPv6 Security Panel - D. Miller, S. Convery,
   * [[http://www2.garr.it/conf_05_slides/j_mohacsi-IPv6_sec.pdf|IPv6 Security: New threats and countermeasures]] - 3rd 6NET workshop & GARR 2005 conference, Pisa, Italy - Presented: János Mohácsi
   * [[http://tnc2004.terena.org/programme/presentations/show2149.html?pres_id=115|Security of IPv6: from a firewalls point of view]] - Terena Networking Conference 2004, Rhodes, Greece - Presented: János Mohácsi
   * [[http://www.6net.org/events/workshop-2003/marin.pdf|What are the new challenges in securing IPv6 networks?]] 2nd 6NET workshop, Terena Networking Conference 2003, Zagreb, Croatia - Presented: Eric Marin
   * [[http://ipv6.niif.hu/~mohacsi/downloads/athens_tf_ngn_ipv6_firewalls.pdf|IPv6 firewalls]] - TF-NGN meeting October 2001, Athens - Presented: János Mohácsi
 Line 36:
-   * [http://www.cs.columbia.edu/~smb/papers/v6worms.pdf Worm Propagation Strategies in an IPv6 Internet] ;login:, February 2006 - Authors: Steven M. Bellovin, Angelos Keromytis, and Bill Cheswick
   * [http://www.cs.columbia.edu/~smb/papers/tarp/tarp.html Transient Addressing for Related Processes: Improved Firewalling by Using IPV6 and Multiple Addresses per Host] - Proceedings of the Eleventh Usenix Security Symposium, August 2001, - Authros: Peter M. Gleitz and Steven M. Bellovin
+   * [[http://www.cs.columbia.edu/~smb/papers/v6worms.pdf|Worm Propagation Strategies in an IPv6 Internet]] ;login:, February 2006 - Authors: Steven M. Bellovin, Angelos Keromytis, and Bill Cheswick
   * [[http://www.cs.columbia.edu/~smb/papers/tarp/tarp.html|Transient Addressing for Related Processes: Improved Firewalling by Using IPV6 and Multiple Addresses per Host]] - Proceedings of the Eleventh Usenix Security Symposium, August 2001, - Authros: Peter M. Gleitz and Steven M. Bellovin
 Line 47:
-We tested IPv6 firewalls [:Tüzfal_teszt_környezet: systematically], in order to verify their capabilities and they are fullfil their roles.
+We tested IPv6 firewalls [[Tüzfal_teszt_környezet| systematically]], in order to verify their capabilities and they are fullfil their roles.
 Line 49:
-[[Anchor(BSD_pf)]]
+<<Anchor(BSD_pf)>>
 Line 52:
-The pf packet filter firewall developed for OpenBSD supports IPv6 since 2002 óta. Since December 2004 all the freely available BSD operating system (FreeBSD, NetBSD, OpenBSD) contains pf packet filter firewall, which is supporting stateful packet inspection for easier, more correct and more powerful configuration.
+The pf packet filter firewall developed for OpenBSD has been supporting IPv6 since 2002. Since December 2004 all the freely available BSD operating system (FreeBSD, NetBSD, OpenBSD) contains pf packet filter firewall, which is supporting stateful packet inspection for easier, more correct and more powerful configuration.
 Line 56:
- * [attachment:IPv6firewallsandSecurity:ipv6_pf.pdf Introduction to IPv6 usage of BSD pf ]
+ * [[attachment:IPv6firewallsandSecurity/ipv6_pf.pdf|Introduction to IPv6 usage of BSD pf ]]
 Line 58:
-  * [attachment:IPv6firewallsandSecurity:pf_boot_client.conf.txt Minimal DHCP/SLAAC boot client PF file - supporting IPv6 autoconfiguration, but nothing else is supported - not for general communication, but booting]
  * [attachment:IPv6firewallsandSecurity:pf_simple_client.conf.txt client pf.conf file - simple IPv6 client communication]
  * [attachment:IPv6firewallsandSecurity:pf_simple_firewall_noserver.conf.txt simple one-way firewall system - basic IPv6 communication enabled to outside from protected network; into the protected network only the answers can enter]
  * [attachment:IPv6firewallsandSecurity:pf_simple_firewall_http_ssh_server.conf.txt slightly more complex firewall system - basic IPv6 commincation enabled to outside from protected network; only HTTP and SSH server communication is allowed into the protected network beside the answers initiated by the clients inside the protected network]
+  * [[attachment:IPv6firewallsandSecurity/pf_boot_client.conf.txt|Minimal DHCP/SLAAC boot client PF file - supporting IPv6 autoconfiguration, but nothing else is supported - not for general communication, but booting]]
  * [[attachment:IPv6firewallsandSecurity/pf_simple_client.conf.txt|client pf.conf file - simple IPv6 client communication]]
  * [[attachment:IPv6firewallsandSecurity/pf_simple_firewall_noserver.conf.txt|simple one-way firewall system - basic IPv6 communication enabled to outside from protected network; into the protected network only the answers can enter]]
  * [[attachment:IPv6firewallsandSecurity/pf_simple_firewall_http_ssh_server.conf.txt|slightly more complex firewall system - basic IPv6 commincation enabled to outside from protected network; only HTTP and SSH server communication is allowed into the protected network beside the answers initiated by the clients inside the protected network]]
 Line 63:
-[[Anchor(BSD_ip6fw)]]
+<<Anchor(BSD_ip6fw)>>
 Line 66:
-The {{{ipfw}}} firewall system, which was originally developed for BSDI, and completely rewritten from scratch to FreeBSD, was ported to IPv6 [http://www.kame.net KAME projekt] under the name {{[ip6fw}}. This IPv6 ported firewall system was integrated completely to FreeBSD. Sample configuration files for IPv6 application can be found {{{/etc/rc.firewall6 }}} file. Despite its integration the {{{ip6fw}}} does not support stateful packet inspection ({{{ipfw}}} supports stateful packet inspection). Thanks to the latest development in FreeBSD 6.1 IPv6 rules can be set up with {{{ipfw}}}.
  * [attachment:IPv6firewallsandSecurity:ipv6_ip6fw.pdf Introduction to usage of FreeBSD ip6fw]
+The {{{ipfw}}} firewall system, which was originally developed for BSDI, and completely rewritten from scratch to FreeBSD, was ported to IPv6 [[http://www.kame.net|KAME projekt]] under the name {{[ip6fw}}. This IPv6 ported firewall system was integrated completely to FreeBSD. Sample configuration files for IPv6 application can be found {{{/etc/rc.firewall6 }}} file. Despite its integration the {{{ip6fw}}} does not support stateful packet inspection ({{{ipfw}}} supports stateful packet inspection). Thanks to the latest development in FreeBSD 6.1 IPv6 rules can be set up with {{{ipfw}}}.
  * [[attachment:IPv6firewallsandSecurity/ipv6_ip6fw.pdf|Introduction to usage of FreeBSD ip6fw]]
 Line 69:
-    * [attachment:IPv6firewallsandSecurity:ip6fw_client.conf.txt client ip6fw.conf file - basic IPv6 communication support on a host]
    * [attachment:IPv6firewallsandSecurity:ip6fw_simple.conf.txt simple firewall systems - basic IPv6 communication supported from the protected network, the firewall act as DNS and NTP server]
  * [:Ip6fwVM: ip6fw test in virtual environment]
+    * [[attachment:IPv6firewallsandSecurity/ip6fw_client.conf.txt|client ip6fw.conf file - basic IPv6 communication support on a host]]
    * [[attachment:IPv6firewallsandSecurity/ip6fw_simple.conf.txt|simple firewall systems - basic IPv6 communication supported from the protected network, the firewall act as DNS and NTP server]]
  * [[Ip6fwVM| ip6fw test in virtual environment]]
 Line 73:
-[[Anchor(linux_ip6tables)]]
+<<Anchor(linux_ip6tables)>>
 Line 89:
-  * [attachment:IPv6firewallsandSecurity:ip6tables.conf.txt Sample Netfilter/ip6tables configuration file with IPv6 usage]
+  * [[attachment:IPv6firewallsandSecurity/ip6tables.conf.txt|Sample Netfilter/ip6tables configuration file with IPv6 usage]]
 Line 107:
- * [attachment:IPv6firewallsandSecurity:ipv6_ciscoacl.pdf Introduction to IPv6 Cisco ACLs]
 * [attachment:IPv6firewallsandSecurity:ipv6_ciscoacl_cisco.pdf Cisco presentation about IPv6 Cisco ACLs]
+ * [[attachment:IPv6firewallsandSecurity/ipv6_ciscoacl.pdf|Introduction to IPv6 Cisco ACLs]]
 * [[attachment:IPv6firewallsandSecurity/ipv6_ciscoacl_cisco.pdf|Cisco presentation about IPv6 Cisco ACLs]]
 Line 122:
-  * [attachment:IPv6firewallsandSecurity:ipv6_windowsxp_firewall.pdf Introduction to Windows XP firewall in IPv6 environment]
+  * [[attachment:IPv6firewallsandSecurity/ipv6_windowsxp_firewall.pdf|Introduction to Windows XP firewall in IPv6 environment]]
 Line 130:
- * [attachment:IPv6firewallsandSecurity:IDS-and-IPv6.pdf IPv6 challenges for IDS ]
 * [http://www.sikurezza.org/ml/12_02/msg00178.html Experimental IPv6 decoder for SNORT]
 * [http://www.snort.org/archive-5-1312.html SNORT IPv6 support]
+ * [[attachment:IPv6firewallsandSecurity/IDS-and-IPv6.pdf|IPv6 challenges for IDS ]]
 * [[http://www.sikurezza.org/ml/12_02/msg00178.html|Experimental IPv6 decoder for SNORT]]
 * [[http://www.snort.org/archive-5-1312.html|SNORT IPv6 support]]