#acl All:read <> = Development and testing IPv6 firewalls and IPv6 security services = From the security point of view the IPv6 and related protocol elements can be categorised * Security features of IPv6 protocol * Security features of obligatory protocol elements of IPv6 e.g. IPSec * Security features of additional protocol elements of IPv6 e.g. SEND * IPv6 firewalls * IPv6 IDS/IPS systems The project investigated the IPv6 firewalls, but sake of completness we put other IPv6 security elements in context. == IPv6 protocol and security == === Documents to IPv6 security === * Overview of security of IPv6 protocol * [[attachment:IPv6firewallsandSecurity/6net_ipv6security.pdf|6NET document about security of IPv6]] - Authors: János Mohácsi, Georgios Koutepas, Athannasios Liakopoulos, Eric Vyncke, Carlos Friacas - in English * [[Áttekintés_az_IPv6_biztonságáról| Overview of security of IPv6 protocol]] - Authors: János Mohácsi - in Hungarian * IETF RFC and drafts related to security of IPv6 protocol * [[http://tools.ietf.org/html/rfc4942|IPv6 security overview draft]] - Authors: Elwyn Davies, S. Krishnan, P. Savola * [[http://tools.ietf.org/html/rfc3964|Security Considerations for 6to4]] - Authors: P. Savola, C. Patel * [[http://tools.ietf.org/html/rfc4891|Using IPsec to Secure IPv6-in-IPv4 Tunnels]] - Authors: R. Graveman, M. Parthasarathy. P. Savola, H. Tschofenig * [[http://tools.ietf.org/html/rfc4890|Recommendations for Filtering ICMPv6 Messages in Firewalls ]]- Authors: E. Davies, J. Mohacsi * Presentation about IPv6 security * [[http://www.6diss.org/workshops/see-1/security.pdf|IPv6 Security presentation ]]- 6DISS workshop Kopaonik, Serbia March 2006 - Presented: * [[http://www.6diss.org/workshops/saf/security.pdf|IPv6 Security presentation]]- 6DISS workshop Port Elizabeth, South-Afric, September 2005 - Presented: János Mohácsi * [[https://www.terena.org/events/tnc2006/programme/presentations/show1c91.html?pres_id=190|The Security Implications of IPv6 ]] - Terena Networking Conference 2006, Catania, Italy - Presented: Mike Warfield * [[http://www.seanconvery.com/Internet2.pdf|IPv6 Dual Stack Security Considerations]] - October 2004, Internet2 Fall 2004, IPv6 Security Panel - D. Miller, S. Convery, * [[http://www2.garr.it/conf_05_slides/j_mohacsi-IPv6_sec.pdf|IPv6 Security: New threats and countermeasures]] - 3rd 6NET workshop & GARR 2005 conference, Pisa, Italy - Presented: János Mohácsi * [[http://tnc2004.terena.org/programme/presentations/show2149.html?pres_id=115|Security of IPv6: from a firewalls point of view]] - Terena Networking Conference 2004, Rhodes, Greece - Presented: János Mohácsi * [[http://www.6net.org/events/workshop-2003/marin.pdf|What are the new challenges in securing IPv6 networks?]] 2nd 6NET workshop, Terena Networking Conference 2003, Zagreb, Croatia - Presented: Eric Marin * [[http://ipv6.niif.hu/~mohacsi/downloads/athens_tf_ngn_ipv6_firewalls.pdf|IPv6 firewalls]] - TF-NGN meeting October 2001, Athens - Presented: János Mohácsi * Other articles: * [[http://www.cs.columbia.edu/~smb/papers/v6worms.pdf|Worm Propagation Strategies in an IPv6 Internet]] ;login:, February 2006 - Authors: Steven M. Bellovin, Angelos Keromytis, and Bill Cheswick * [[http://www.cs.columbia.edu/~smb/papers/tarp/tarp.html|Transient Addressing for Related Processes: Improved Firewalling by Using IPV6 and Multiple Addresses per Host]] - Proceedings of the Eleventh Usenix Security Symposium, August 2001, - Authros: Peter M. Gleitz and Steven M. Bellovin == Documents related to IPSec == == Documents related to SEND == == IPv6 firewalls == The IPv6 firewalls started to appear in the operating system in 2001, but in usable form around 2004. In out project we tested the freely or easily available firewalls (e.g. built-in to routers. We wanted to test some commercially available firewalls like Checkpoint but did not get any useful answer. We tested IPv6 firewalls [[Tüzfal_teszt_környezet| systematically]], in order to verify their capabilities and they are fullfil their roles. <> === BSD pf firewall === The pf packet filter firewall developed for OpenBSD has been supporting IPv6 since 2002. Since December 2004 all the freely available BSD operating system (FreeBSD, NetBSD, OpenBSD) contains pf packet filter firewall, which is supporting stateful packet inspection for easier, more correct and more powerful configuration. The tutorials developed during the project are available here: * [[attachment:IPv6firewallsandSecurity/ipv6_pf.pdf|Introduction to IPv6 usage of BSD pf ]] * BSD pf configuration examples * [[attachment:IPv6firewallsandSecurity/pf_boot_client.conf.txt|Minimal DHCP/SLAAC boot client PF file - supporting IPv6 autoconfiguration, but nothing else is supported - not for general communication, but booting]] * [[attachment:IPv6firewallsandSecurity/pf_simple_client.conf.txt|client pf.conf file - simple IPv6 client communication]] * [[attachment:IPv6firewallsandSecurity/pf_simple_firewall_noserver.conf.txt|simple one-way firewall system - basic IPv6 communication enabled to outside from protected network; into the protected network only the answers can enter]] * [[attachment:IPv6firewallsandSecurity/pf_simple_firewall_http_ssh_server.conf.txt|slightly more complex firewall system - basic IPv6 commincation enabled to outside from protected network; only HTTP and SSH server communication is allowed into the protected network beside the answers initiated by the clients inside the protected network]] <> === FreeBSD ip6fw firewall === The {{{ipfw}}} firewall system, which was originally developed for BSDI, and completely rewritten from scratch to FreeBSD, was ported to IPv6 [[http://www.kame.net|KAME projekt]] under the name {{[ip6fw}}. This IPv6 ported firewall system was integrated completely to FreeBSD. Sample configuration files for IPv6 application can be found {{{/etc/rc.firewall6 }}} file. Despite its integration the {{{ip6fw}}} does not support stateful packet inspection ({{{ipfw}}} supports stateful packet inspection). Thanks to the latest development in FreeBSD 6.1 IPv6 rules can be set up with {{{ipfw}}}. * [[attachment:IPv6firewallsandSecurity/ipv6_ip6fw.pdf|Introduction to usage of FreeBSD ip6fw]] * Sample FreeBSD ip6fw configuration files * [[attachment:IPv6firewallsandSecurity/ip6fw_client.conf.txt|client ip6fw.conf file - basic IPv6 communication support on a host]] * [[attachment:IPv6firewallsandSecurity/ip6fw_simple.conf.txt|simple firewall systems - basic IPv6 communication supported from the protected network, the firewall act as DNS and NTP server]] * [[Ip6fwVM| ip6fw test in virtual environment]] <> === Linux Netfilter/ip6tables firewall === Linux kernel since version 2.6.16 supports IPv6 connection tracking operation. It was implemented separately from the ip connection tracking. This caused some deficiency: There was no support for NAT in NF connection tracking. Linux kernel since version 2.6.20 supports the NAT module for NF connection tracking thanks to work of József Kadlecsik. Kernel configuration for NF connection tracking: 1. Switch of the default connection tracking module (IP_NF_CONNTRACK) * Connection tracking (required for masq/NAT) otherwise you cannot select Layer-3 independent connection tracking module (NF_CONNTRACK) * Layer 3 Independent Connection tracking (EXPERIMENTAL) 2. Compile in the kernel the following modules: * ip6table_filter - firewall filter module * nf_conntrack_ipv6 - IPv6 connection tracking * nf_conntrack_ftp - FTP helper . * Introduction to usage of Netfilter in IPv6 environment * [[attachment:IPv6firewallsandSecurity/ip6tables.conf.txt|Sample Netfilter/ip6tables configuration file with IPv6 usage]] ==== SecureFilter 2.3 ==== As a result of the project KFKI-RMKI SzHK developed new version of !SecureFilter firewall system (v2.3), which supports IPv6 also next to IPv4. The latest version of !SecureFilter and related documents are available at the software project page: http://www.kfki.hu/cnc/projekt/securefilter/ === IPv6 usage of Cisco ACL === The Cisco IOS 12.2(2) T train and alter or 12.3(1) Mainline and later or IOS 12.2(14)S service provider train and later supports IPv6 packet filtering. At the level of packets there are two type of filtering possible: * Standard ACL filtering - only IPv6 addresses can be used for filtering * Extended ACL filtering - protocol fileds and application ports can be used next to IPv6 addresses It is possible to simulate the stateful packet inspection with reflexive ACLs. Handling of IPv6 FTP connections are supported after 12.3(11)T version - with help of ftp inspection - since the content of ipv6 ftp packet has to be parsed this feature is implemented in software - supported on SW platforms. * [[attachment:IPv6firewallsandSecurity/ipv6_ciscoacl.pdf|Introduction to IPv6 Cisco ACLs]] * [[attachment:IPv6firewallsandSecurity/ipv6_ciscoacl_cisco.pdf|Cisco presentation about IPv6 Cisco ACLs]] '''Note!''' The Cisco ACLs are using a very strange implicit rule: * If there is NO deny rule, then implicitly enables the Neighbor Discovery packets {{{ permit icmp any any nd-na permit icmp any any nd-ns deny ipv6 any any }}} * If there is a deny rule, then we HAVE to explicitly enable Neighbor Discovery packets in the rules! === Microsoft Windows XP (SP2 and later) & Windows 2003 firewall === Microsoft Windows XP SP2 and later and Windows 2003 server systems have built-in firewalls, which can filter incoming packets - but only incoming packets. It is using the mostly same rules for IPv6 as it is used for IPv4- helping seting up consistent firewall rules. An additional options for IPv6, your have to separately enable IPv6 PATH-MTU-Discovery on ICMP tab. * [[attachment:IPv6firewallsandSecurity/ipv6_windowsxp_firewall.pdf|Introduction to Windows XP firewall in IPv6 environment]] '''Warning!''' Windows firewall cannot filter packets outgoing from the protected networks/hosts - on hosts it can be blocked at process level security center. '''Note!''' Other windows firewalls (e.g. Kerio, !ZoneAlarm etc.) does not support IPv6. It is time to support it. == IPv6 Intrusion Detection/Prevention systems == * [[attachment:IPv6firewallsandSecurity/IDS-and-IPv6.pdf|IPv6 challenges for IDS ]] * [[http://www.sikurezza.org/ml/12_02/msg00178.html|Experimental IPv6 decoder for SNORT]] * [[http://www.snort.org/archive-5-1312.html|SNORT IPv6 support]]