IPv6 Firewalls

From timswiki
Revision as of 12:31, 29 May 2012 by Wikiadmin (talk | contribs)
Jump to navigation Jump to search

IPv6 Firewalls

General Observations

IPv6 firewalls are separate from, and often control network traffic in different ways, to current IPv4 firewalls. IPv4 has evolved from its original flat architecture to involve multiple layers of hierarchy in order to support the burgeoning number of nodes that make up the internet. Not only does the imposed hierarchy offer some security in itself but clients have become used to their online visibility and security being managed by another node (e.g. an ADSL router). This assumed protection, and the likelihood that it is missing if you connect your client to a foreign (non-home) network, is behind the frequently reported incidents of "coffee shop" wifi attacks.

IPv6 intends to revert the network hierarchy back towards a flat structure, where any node can talk directly to any other IPv6 node. In line with this approach routers may or may not firewall IPv6 traffic for clients that operate behind them. This has several implications for the clients:

  • Clients may have globally routable IPv6 addresses
  • Clients may be solely responsible for their own security/firewall protection
  • Clients may have more than one active IPv6 address
  • Clients may frequently change their IPv6 address if using privacy addresses, as per RFC4941

In response to this many of the current IPv6-enabled client devices (e.g. iOS and Android devices) include their own IPv6 firewalls, which are enabled by default.


IPv6 brings two other scenarios that mobile clients (i.e. those connecting to more than one network) need to consider:

  • Current operating systems have IPv6 enabled by default
  • Even if your home network doesn't have IPv6 enabled, you can't assume other networks won't have


Consequently you need to ensure that your client devices have their IPv6 firewall enabled, and it is protecting the services running on your client. It is also advisable to disable any IPv6 services that you do not require (e.g. tunneling protocols that you are not actively using - this is especially applicable to Windows 7 clients).


On other change IPv6 introduces compared to IPv4 is that additional ICMP traffic flows are necessary for normal network signalling whereas it was predominantly used for failure-case reporting in IPv4 networks. This requires IPv6 firewalls to admit certain ICMPv6 traffic flows in order to handle IPv6 address allocation, neighbour discovery and several other IPv6 processes. For many client devices this will be handled directly by the firewall itself, but if you are developing your own IPv6 firewall then you need to ensure you follow RFC4890 (includes an ip6tables packet filter example) and RFC4493.


<adsense>1</adsense>

Retrieved from ‘https://wiki.chappell-family.com/wiki/index.php?title=IPv6_Firewalls&oldid=84