[AusNOG] Globally Routed IPv6 and Windows Firewall

Greg Anderson ganderson at raywhite.com
Fri Jul 25 13:11:24 EST 2014


Good day Ladies and Gentlemen!

I had a quick question because try as I might, anybody I have asked this
question to so far (and Google) have been unable to answer the question for
me.

With the deployment of a dual stack IPv6 solution either in a corporate or
residential environment, I expect most users would have a single NIC in
most cases.

For Windows firewall, IPv4 addresses in common cases are not globally
routed addresses that often have less restrictive firewall rules and
services running on them (EG SNMP, File/Printer sharing, RDP, Homegroup
etc).  In these cases, some would often use "Domain" or "Private" firewall
profiles on these NIC's.

With the deployments of IPv6, they will also have local link IPv6 addresses
(fine as they are not globally routed either obviously), and at some point
many will have a globally routed IPv6 address.  So this means, for a given
NIC, you will now have:

- IPv4 Reserved address for Private local networking
- IPv6 Reserved address for Private local networking
- IPv6 Globally routed address (and possibly a second temporary address)

Suddenly when the deployment of Globally routed IPv6 addresses happen:
because the NIC has a private profile there is suddenly private services
exposed to the Internet.  (Let's put our tin foil hat on and ignore the
difficulties of brute force scanning an IPv6 subnet).

Option 1 is obvious - change your NIC's network type to public, and if you
don't want everything to break reconfigure all your rules to permit traffic
only from local link addresses (IE - a real pain in the _)

Is there an option 2?  Ideally, I would like the public ranges to be
automatically detected (or specifically reconfigurable) as a globally
routed IP address range and therefore to be able to apply multiple profiles
(Public and Private/Domain) to a single NIC.

I am considering this from a residential dumb end user perspective as well
as enterprise - so whilst I would like a technical solution (and I am aware
those of us smart enough can still firewall at the edge just like we do
today) - many residential users will not have these skills - they are
likely to really open themselves up.  So I am interested to see if I am
missing something very obvious...

Thoughts?

- Greg
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ausnog.net/pipermail/ausnog/attachments/20140725/6a3ba587/attachment.html>


More information about the AusNOG mailing list