579
edits
Changes
Jump to navigation
Jump to search
Line 29:
Line 29: + + + + + + + + + + + + Line 37:
Line 49: +
no edit summary
One other change IPv6 introduces compared to IPv4 is that additional ICMP traffic flows are necessary for normal protocol signalling whereas it was predominantly used for error-case reporting in IPv4 networks. This requires IPv6 firewalls to admit certain [[ICMPv6_Types_Codes]] in order to handle IPv6 address allocation, neighbour discovery (IPv6 replacement for ARP) and several other IPv6 processes. For many client devices this will be handled directly by the firewall itself, but if you are developing your own IPv6 firewall then you need to ensure you follow the recommendations in [http://www.ietf.org/rfc/rfc4890.txt RFC4890] which includes an ip6tables packet filter example.
One other change IPv6 introduces compared to IPv4 is that additional ICMP traffic flows are necessary for normal protocol signalling whereas it was predominantly used for error-case reporting in IPv4 networks. This requires IPv6 firewalls to admit certain [[ICMPv6_Types_Codes]] in order to handle IPv6 address allocation, neighbour discovery (IPv6 replacement for ARP) and several other IPv6 processes. For many client devices this will be handled directly by the firewall itself, but if you are developing your own IPv6 firewall then you need to ensure you follow the recommendations in [http://www.ietf.org/rfc/rfc4890.txt RFC4890] which includes an ip6tables packet filter example.
===IPv6 Addresses===
One other observation relates to the selection of an IPv6 address for your host. There are three main IPv6 address allocation approaches:
* Static unicast address allocation
* Stateless Address Autoconfiguration (SLAAC)
* DHCPv6
A full IPv6 address is composed of a network address part (perhaps 64 bits) and a host address part (often 64 bits).
Dependant upon the scheme that your host uses you '''may''' be able to freely select the host address part - e.g. when using static address allocation. Despite what you may find written elsewhere you are only safe from IPv6 port scans if the address of your machine is not easily discoverable within its IPv6 subnet. On this basis I suggest that you fight the urge to allocate easy to type/remember addresses (e.g. <network-address-part>::1, and any that use a mix of hexadecimal addresses that spell words - 0xdead, 0xbeef, 0xface). Many machines appear to use such allocations in their host address part and if you were writing an IPv6 port scanner then surely addresses using such choices would be the place you would start scanning? A DNS with suitable Quad-A entries is your friend in this situation.
If you wish to verify the operation of your IPv6 firewall then try my [http://ipv6.chappell-family.com/ipv6tcptest/ IPv6 firewall checker] which checks your IPv6 Ping response and scans a set of user-defined TCP ports.
If you wish to verify the operation of your IPv6 firewall then try my [http://ipv6.chappell-family.com/ipv6tcptest/ IPv6 firewall checker] which checks your IPv6 Ping response and scans a set of user-defined TCP ports.
A '''''starting point''''' for an IPv6 iptables-based firewall can be found in my [[Raspberry_Pi_IPv6_firewall_tester_installation configuration guide.]]
This website publishes a [http://ipv6.chappell-family.com/html/privacy_policy.html Privacy Policy.] Continued use of this website implies your consent to the storage of data outlined in the policy.
This website publishes a [http://ipv6.chappell-family.com/html/privacy_policy.html Privacy Policy.] Continued use of this website implies your consent to the storage of data outlined in the policy.