Difference between revisions of "IPv6 Firewalls"
| Line 25: | Line 25: | ||
| − | As a consequence of all of the above changes it is imperative that you ensure that your IPv6-enabled client devices have their IPv6 firewall enabled, and it is protecting the services running on your client. It is also advisable to disable any IPv6 services that you do not require (e.g. tunneling protocols that you are not actively using - this is especially applicable to Windows 7 clients). | + | As a consequence of all of the above changes it is imperative that you ''ensure that your IPv6-enabled client devices have their IPv6 firewall enabled'', and it is protecting the services running on your client. It is also advisable to disable any IPv6 services that you do not require (e.g. tunneling protocols that you are not actively using - this is especially applicable to Windows 7 clients). |
| − | + | One other change IPv6 introduces compared to IPv4 is that additional ICMP traffic flows are necessary for normal protocol signalling whereas it was predominantly used for error-case reporting in IPv4 networks. This requires IPv6 firewalls to admit certain [[ICMPv6_Types_Codes]] in order to handle IPv6 address allocation, neighbour discovery and several other IPv6 processes. For many client devices this will be handled directly by the firewall itself, but if you are developing your own IPv6 firewall then you need to ensure you follow [http://www.ietf.org/rfc/rfc4890.txt RFC4890] which includes an ip6tables packet filter example. | |
| + | ===Testing your IPv6 Firewall=== | ||
| + | |||
| + | If you wish to verify the operation of your IPv6 firewall then try my [https://github.com/timsgit/ipscan open-source] [http://ipv6.chappell-family.com/ipv6tcptest/ IPv6 firewall checker] (IPv6 Ping response tester and TCP port scanner). | ||
| − | |||
Revision as of 10:18, 30 May 2012
IPv6 Firewalls
General Observations
IPv6 firewalls are separate from, and often control network traffic in different ways, to current IPv4 firewalls. IPv4 has evolved from its original flat architecture to involve multiple layers of hierarchy in order to support the burgeoning number of nodes that make up the internet. Not only does the imposed hierarchy offer some security in itself but clients have become used to their online visibility and security being managed by another node (e.g. an ADSL router). This assumed protection, and the likelihood that it is missing if you connect your client to a foreign (non-home) network, is behind the frequently reported incidents of "coffee shop" wifi attacks.
IPv6 intends to revert the network hierarchy back towards a flat structure, where any node can talk directly to any other IPv6 node. In line with this approach routers may or may not firewall IPv6 traffic for clients that operate behind them. This has several implications for the clients:
- Clients may have globally routable IPv6 addresses
- Clients may be solely responsible for their own security/firewall protection
- Clients may have more than one active IPv6 address
- Clients may frequently change their IPv6 address if using privacy addresses, as per RFC4941
In response to this many of the current IPv6-enabled client devices (e.g. iOS and Android devices) include their own IPv6 firewalls, which are enabled by default.
IPv6 brings two other scenarios that mobile clients (i.e. those connecting to more than one network) need to consider:
- Current operating systems have IPv6 enabled by default
- Even if your home network doesn't have IPv6 enabled, you can't assume other networks won't have
As a consequence of all of the above changes it is imperative that you ensure that your IPv6-enabled client devices have their IPv6 firewall enabled, and it is protecting the services running on your client. It is also advisable to disable any IPv6 services that you do not require (e.g. tunneling protocols that you are not actively using - this is especially applicable to Windows 7 clients).
One other change IPv6 introduces compared to IPv4 is that additional ICMP traffic flows are necessary for normal protocol signalling whereas it was predominantly used for error-case reporting in IPv4 networks. This requires IPv6 firewalls to admit certain ICMPv6_Types_Codes in order to handle IPv6 address allocation, neighbour discovery and several other IPv6 processes. For many client devices this will be handled directly by the firewall itself, but if you are developing your own IPv6 firewall then you need to ensure you follow RFC4890 which includes an ip6tables packet filter example.
Testing your IPv6 Firewall
If you wish to verify the operation of your IPv6 firewall then try my open-source IPv6 firewall checker (IPv6 Ping response tester and TCP port scanner).
<adsense>1</adsense>