[AusNOG] Globally Routed IPv6 and Windows Firewall

Mark Andrews marka at isc.org
Fri Jul 25 13:36:13 EST 2014 

In message <CAAGFhy_Ymde5fjtMXZ5V0fHTm2WW8fQVXUESP0zm9frLpG6v8g at mail.gmail.com>
, Greg Anderson writes:
> 
> Good day Ladies and Gentlemen!
> 
> I had a quick question because try as I might, anybody I have asked this
> question to so far (and Google) have been unable to answer the question for
> me.
> 
> With the deployment of a dual stack IPv6 solution either in a corporate or
> residential environment, I expect most users would have a single NIC in
> most cases.
> 
> For Windows firewall, IPv4 addresses in common cases are not globally
> routed addresses that often have less restrictive firewall rules and
> services running on them (EG SNMP, File/Printer sharing, RDP, Homegroup
> etc).  In these cases, some would often use "Domain" or "Private" firewall
> profiles on these NIC's.
> 
> With the deployments of IPv6, they will also have local link IPv6 addresses
> (fine as they are not globally routed either obviously), and at some point
> many will have a globally routed IPv6 address.  So this means, for a given
> NIC, you will now have:
> 
> - IPv4 Reserved address for Private local networking
> - IPv6 Reserved address for Private local networking
> - IPv6 Globally routed address (and possibly a second temporary address)
> 
> Suddenly when the deployment of Globally routed IPv6 addresses happen:
> because the NIC has a private profile there is suddenly private services
> exposed to the Internet.  (Let's put our tin foil hat on and ignore the
> difficulties of brute force scanning an IPv6 subnet).
> 
> Option 1 is obvious - change your NIC's network type to public, and if you
> don't want everything to break reconfigure all your rules to permit traffic
> only from local link addresses (IE - a real pain in the _)
> 
> Is there an option 2?  Ideally, I would like the public ranges to be
> automatically detected (or specifically reconfigurable) as a globally
> routed IP address range and therefore to be able to apply multiple profiles
> (Public and Private/Domain) to a single NIC.
> 
> I am considering this from a residential dumb end user perspective as well
> as enterprise - so whilst I would like a technical solution (and I am aware
> those of us smart enough can still firewall at the edge just like we do
> today) - many residential users will not have these skills - they are
> likely to really open themselves up.  So I am interested to see if I am
> missing something very obvious...
> 
> Thoughts?
> 
> - Greg

1.  Do not use link-local.  They are a pain in the backside to use.
    They are NOT supported in the DNS.  Link locals are 160 bit
    addresses as they need scope information which is node specific.
    The DNS only supports the first 128 bits of the address.

2.  RA's advertise the local prefixes.  They tell the node what
    addresses are local and what are not to the subnet level.  This
    gives you a private/public distinction.  You can do the same
    thing in IPv4 by looking at the netmask.

3.  It wouldn't take much to have RA's advertise the site prefix.
    Basically it needs a code point to be allocated.

4.  You can use ULA addresses if you want to mimic the RFC 1918 behaviour.

-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka at isc.org

More information about the AusNOG mailing list