[AusNOG] Globally Routed IPv6 and Windows Firewall

Damien Gardner Jnr rendrag at rendrag.net
Fri Jul 25 13:20:13 EST 2014


What I do (and we do at work) is run stateful firewalling on the
home/office router, and don't allow inbound traffic on v6 unless it's for
an established session.   Same as we did all those years ago when our
homes/offices had a public /24 (We all had that at home right? ;) ).   It's
certainly not a new problem :)

Cheers,

DG


On 25 July 2014 13:11, Greg Anderson <ganderson at raywhite.com> wrote:

> Good day Ladies and Gentlemen!
>
> I had a quick question because try as I might, anybody I have asked this
> question to so far (and Google) have been unable to answer the question for
> me.
>
> With the deployment of a dual stack IPv6 solution either in a corporate or
> residential environment, I expect most users would have a single NIC in
> most cases.
>
> For Windows firewall, IPv4 addresses in common cases are not globally
> routed addresses that often have less restrictive firewall rules and
> services running on them (EG SNMP, File/Printer sharing, RDP, Homegroup
> etc).  In these cases, some would often use "Domain" or "Private" firewall
> profiles on these NIC's.
>
> With the deployments of IPv6, they will also have local link IPv6
> addresses (fine as they are not globally routed either obviously), and at
> some point many will have a globally routed IPv6 address.  So this means,
> for a given NIC, you will now have:
>
> - IPv4 Reserved address for Private local networking
> - IPv6 Reserved address for Private local networking
> - IPv6 Globally routed address (and possibly a second temporary address)
>
> Suddenly when the deployment of Globally routed IPv6 addresses happen:
> because the NIC has a private profile there is suddenly private services
> exposed to the Internet.  (Let's put our tin foil hat on and ignore the
> difficulties of brute force scanning an IPv6 subnet).
>
> Option 1 is obvious - change your NIC's network type to public, and if you
> don't want everything to break reconfigure all your rules to permit traffic
> only from local link addresses (IE - a real pain in the _)
>
> Is there an option 2?  Ideally, I would like the public ranges to be
> automatically detected (or specifically reconfigurable) as a globally
> routed IP address range and therefore to be able to apply multiple profiles
> (Public and Private/Domain) to a single NIC.
>
> I am considering this from a residential dumb end user perspective as well
> as enterprise - so whilst I would like a technical solution (and I am aware
> those of us smart enough can still firewall at the edge just like we do
> today) - many residential users will not have these skills - they are
> likely to really open themselves up.  So I am interested to see if I am
> missing something very obvious...
>
> Thoughts?
>
> - Greg
>
> _______________________________________________
> AusNOG mailing list
> AusNOG at lists.ausnog.net
> http://lists.ausnog.net/mailman/listinfo/ausnog
>
>


-- 

Damien Gardner Jnr
VK2TDG. Dip EE. GradIEAust
rendrag at rendrag.net -  http://www.rendrag.net/
--
We rode on the winds of the rising storm,
 We ran to the sounds of thunder.
We danced among the lightning bolts,
 and tore the world asunder
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ausnog.net/pipermail/ausnog/attachments/20140725/8273e1a0/attachment.html>


More information about the AusNOG mailing list