579
edits
Changes
Jump to navigation
Jump to search
Line 3:
Line 3: − + Line 15:
Line 15: − + Line 21:
Line 21: − + Line 28:
Line 28: − + −
→General Observations
===General Observations===
===General Observations===
IPv6 firewalls are separate from, and often control network traffic in different ways, to current IPv4 firewalls. IPv4 has evolved from its original flat architecture to involve multiple layers of hierarchy in order to support the burgeoning number of nodes that make up the internet. Not only does the imposed hierarchy offer some security in itself but clients have become used to their online visibility and security being managed by another node (e.g. an ADSL router). This assumed protection, and the likelihood that it is missing if you connect your client to a foreign (non-home) network, is behind the frequently reported incidents of "coffee shop" wifi attacks.
IPv6 firewalls are separate from, and often control network traffic in different ways, to current IPv4 firewalls. IPv4 has evolved from its original flat architecture to involve multiple layers of hierarchy in order to support the burgeoning number of nodes that make up the internet. Not only can the imposed hierarchy offer some security in itself but clients have often relied on their online visibility and security being provided by another node (e.g. an ADSL router). This assumed protection, and the likelihood that it is missing if you connect your client to a foreign (non-home) network, is behind the frequently reported incidents of "coffee shop" wifi attacks.
In response to this many of the current IPv6-enabled client devices (e.g. iOS and Android devices) include their own IPv6 firewalls, which are enabled by default.
In response to this many of the current IPv6-enabled client devices (e.g. iOS and Android devices) include their own IPv6 firewalls, which are usually enabled by default.
* Current operating systems have IPv6 enabled by default
* Currently shipping operating systems have IPv6 enabled by default
* Even if your home network doesn't have IPv6 enabled, you can't assume other networks won't have
* Even if your home network doesn't have IPv6 enabled, you can't assume other networks won't have
One other change IPv6 introduces compared to IPv4 is that additional ICMP traffic flows are necessary for normal protocol signalling whereas it was predominantly used for error-case reporting in IPv4 networks. This requires IPv6 firewalls to admit certain [[ICMPv6_Types_Codes]] in order to handle IPv6 address allocation, neighbour discovery and several other IPv6 processes. For many client devices this will be handled directly by the firewall itself, but if you are developing your own IPv6 firewall then you need to ensure you follow [http://www.ietf.org/rfc/rfc4890.txt RFC4890] which includes an ip6tables packet filter example.
One other change IPv6 introduces compared to IPv4 is that additional ICMP traffic flows are necessary for normal protocol signalling whereas it was predominantly used for error-case reporting in IPv4 networks. This requires IPv6 firewalls to admit certain [[ICMPv6_Types_Codes]] in order to handle IPv6 address allocation, neighbour discovery and several other IPv6 processes. For many client devices this will be handled directly by the firewall itself, but if you are developing your own IPv6 firewall then you need to ensure you follow the recommendations in [http://www.ietf.org/rfc/rfc4890.txt RFC4890] which includes an ip6tables packet filter example.
===Testing your IPv6 Firewall===
===Testing your IPv6 Firewall===