Differences between revisions 4 and 5
Revision 4 as of 2011-01-25 17:14:35
Size: 10911
Editor: mohacsi
Comment:
Revision 5 as of 2011-10-24 14:03:27
Size: 10797
Editor: mohacsi
Comment: update URIs
Deletions are marked like this. Additions are marked like this.
Line 22: Line 22:
   * [[http://www.ietf.org/internet-drafts/draft-ietf-v6ops-security-overview-06.txt|IPv6 security overview draft]] - Authors: Elwyn Davies, S. Krishnan, P. Savola
   * [[http://www.ietf.org/rfc/rfc3964.txt|Security Considerations for 6to4]] - Authors: P. Savola, C. Patel
   * [[http://www.ietf.org/internet-drafts/draft-ietf-v6ops-ipsec-tunnels-05.txt|Using IPsec to Secure IPv6-in-IPv4 Tunnels]] - Authors: R. Graveman, M. Parthasarathy. P. Savola, H. Tschofenig
   * [[http://www.ietf.org/internet-drafts/draft-ietf-v6ops-icmpv6-filtering-recs-03.txt|Recommendations for Filtering ICMPv6 Messages in Firewalls ]]- Authors: E. Davies, J. Mohacsi
   * [[http://tools.ietf.org/html/rfc4942|IPv6 security overview draft]] - Authors: Elwyn Davies, S. Krishnan, P. Savola
   * [[http://tools.ietf.org/html/rfc3964|Security Considerations for 6to4]] - Authors: P. Savola, C. Patel
   * [[http://tools.ietf.org/html/rfc4891|Using IPsec to Secure IPv6-in-IPv4 Tunnels]] - Authors: R. Graveman, M. Parthasarathy. P. Savola, H. Tschofenig
   * [[http://tools.ietf.org/html/rfc4890|Recommendations for Filtering ICMPv6 Messages in Firewalls ]]- Authors: E. Davies, J. Mohacsi
Line 27: Line 27:
   * [[http://www.6diss.org/workshops/see/security.pdf|IPv6 Security presentation ]]- 6DISS workshop Kopaonik, Serbia March 2006 - Presented:    * [[http://www.6diss.org/workshops/see-1/security.pdf|IPv6 Security presentation ]]- 6DISS workshop Kopaonik, Serbia March 2006 - Presented:
Line 29: Line 29:
   * [[http://www.terena.nl/events/tnc2006/programme/presentations/show.php?pres_id=190|The Security Implications of IPv6 ]] - Terena Networking Conference 2006, Catania, Italy - Presented: Mike Warfield    * [[https://www.terena.org/events/tnc2006/programme/presentations/show1c91.html?pres_id=190|The Security Implications of IPv6 ]] - Terena Networking Conference 2006, Catania, Italy - Presented: Mike Warfield
Line 31: Line 31:
   * [[http://www.garr.it/conf_05/slides/j_mohacsi-IPv6_sec.pdf|IPv6 Security: New threats and countermeasures]] - 3rd 6NET workshop & GARR 2005 conference, Pisa, Italy - Presented: János Mohácsi
   * [[http://tnc2004.terena.nl/programme/presentations/show.php?pres_id=115|Security of IPv6: from a firewalls point of view]] - Terena Networking Conference 2004, Rhodes, Greece - Presented: János Mohácsi
   * [[http://www2.garr.it/conf_05_slides/j_mohacsi-IPv6_sec.pdf|IPv6 Security: New threats and countermeasures]] - 3rd 6NET workshop & GARR 2005 conference, Pisa, Italy - Presented: János Mohácsi
   * [[http://tnc2004.terena.org/programme/presentations/show2149.html?pres_id=115|Security of IPv6: from a firewalls point of view]] - Terena Networking Conference 2004, Rhodes, Greece - Presented: János Mohácsi

Development and testing IPv6 firewalls and IPv6 security services

From the security point of view the IPv6 and related protocol elements can be categorised

  • Security features of IPv6 protocol
  • Security features of obligatory protocol elements of IPv6 e.g. IPSec
  • Security features of additional protocol elements of IPv6 e.g. SEND
  • IPv6 firewalls
  • IPv6 IDS/IPS systems

The project investigated the IPv6 firewalls, but sake of completness we put other IPv6 security elements in context.

IPv6 protocol and security

Documents to IPv6 security

IPv6 firewalls

The IPv6 firewalls started to appear in the operating system in 2001, but in usable form around 2004. In out project we tested the freely or easily available firewalls (e.g. built-in to routers. We wanted to test some commercially available firewalls like Checkpoint but did not get any useful answer.

We tested IPv6 firewalls systematically, in order to verify their capabilities and they are fullfil their roles.

BSD pf firewall

The pf packet filter firewall developed for OpenBSD has been supporting IPv6 since 2002. Since December 2004 all the freely available BSD operating system (FreeBSD, NetBSD, OpenBSD) contains pf packet filter firewall, which is supporting stateful packet inspection for easier, more correct and more powerful configuration.

The tutorials developed during the project are available here:

FreeBSD ip6fw firewall

The ipfw firewall system, which was originally developed for BSDI, and completely rewritten from scratch to FreeBSD, was ported to IPv6 KAME projekt under the name [ip6fw. This IPv6 ported firewall system was integrated completely to FreeBSD. Sample configuration files for IPv6 application can be found /etc/rc.firewall6  file. Despite its integration the ip6fw does not support stateful packet inspection (ipfw supports stateful packet inspection). Thanks to the latest development in FreeBSD 6.1 IPv6 rules can be set up with ipfw.

Linux Netfilter/ip6tables firewall

Linux kernel since version 2.6.16 supports IPv6 connection tracking operation. It was implemented separately from the ip connection tracking. This caused some deficiency: There was no support for NAT in NF connection tracking. Linux kernel since version 2.6.20 supports the NAT module for NF connection tracking thanks to work of József Kadlecsik. Kernel configuration for NF connection tracking:

  1. Switch of the default connection tracking module (IP_NF_CONNTRACK)
    • Connection tracking (required for masq/NAT)
    otherwise you cannot select Layer-3 independent connection tracking module (NF_CONNTRACK)
    • Layer 3 Independent Connection tracking (EXPERIMENTAL)
  2. Compile in the kernel the following modules:
    • ip6table_filter - firewall filter module
    • nf_conntrack_ipv6 - IPv6 connection tracking
    • nf_conntrack_ftp - FTP helper

.

SecureFilter 2.3

As a result of the project KFKI-RMKI SzHK developed new version of SecureFilter firewall system (v2.3), which supports IPv6 also next to IPv4.

The latest version of SecureFilter and related documents are available at the software project page: http://www.kfki.hu/cnc/projekt/securefilter/

IPv6 usage of Cisco ACL

The Cisco IOS 12.2(2) T train and alter or 12.3(1) Mainline and later or IOS 12.2(14)S service provider train and later supports IPv6 packet filtering. At the level of packets there are two type of filtering possible:

  • Standard ACL filtering - only IPv6 addresses can be used for filtering
  • Extended ACL filtering - protocol fileds and application ports can be used next to IPv6 addresses

It is possible to simulate the stateful packet inspection with reflexive ACLs. Handling of IPv6 FTP connections are supported after 12.3(11)T version - with help of ftp inspection - since the content of ipv6 ftp packet has to be parsed this feature is implemented in software - supported on SW platforms.

Note! The Cisco ACLs are using a very strange implicit rule:

  • If there is NO deny rule, then implicitly enables the Neighbor Discovery packets
    •    permit icmp any any nd-na
         permit icmp any any nd-ns
         deny ipv6 any any
  • If there is a deny rule, then we HAVE to explicitly enable Neighbor Discovery packets in the rules!

Microsoft Windows XP (SP2 and later) & Windows 2003 firewall

Microsoft Windows XP SP2 and later and Windows 2003 server systems have built-in firewalls, which can filter incoming packets - but only incoming packets. It is using the mostly same rules for IPv6 as it is used for IPv4- helping seting up consistent firewall rules. An additional options for IPv6, your have to separately enable IPv6 PATH-MTU-Discovery on ICMP tab.

Warning! Windows firewall cannot filter packets outgoing from the protected networks/hosts - on hosts it can be blocked at process level security center.

Note! Other windows firewalls (e.g. Kerio, ZoneAlarm etc.) does not support IPv6. It is time to support it.

IPv6 Intrusion Detection/Prevention systems

Campus6: IPv6firewallsandSecurity_eng (last edited 2011-10-24 14:03:27 by mohacsi)