[AusNOG] Globally Routed IPv6 and Windows Firewall

Sat Jul 26 18:04:25 EST 2014

Hi Mark,

I am terribly sorry as it appears that I have upset you.

I am a proponent of IPv6 and I have nothing but great respect for the
professionals who have built the next generation of IP.

I am exposing myself to IPv6 in a personal fashion as I do not have any
other avenues. I cannot afford high end gear to do this.  My IPv6
experience is still quite fresh.

Feel free to discuss this with me off list as it really seems to have
struck a  nerve.  I am all for constructive criticism.

I will refrain from this in the future, but I hope someone else got
something out of the question. I know that I did.  Thanks very much to
Craig.
On 26/07/2014 2:37 pm, "Mark ZZZ Smith" <markzzzsmith at yahoo.com.au> wrote:

> So I get a bit frustrated by the original question because it seems to be
> assuming that:
>
> (a) the people who've been working on IPv6 for more than 20 years don't
> know anything about Internet security (despite, for example, trying to
> mandate IPsec in IPv6 implementations ...)
>
> (b) that the network/host/Internet security model is stuck in the
> mid-2000s or earlier, where most hosts had a single network connection, no
> firewalling capability of their own and most hosts end-users used,
> including residential users, were fixed location desktops.
>
> I'd expect people on this mailing list to know that the above aren't true
> and haven't been for a long time, either due to their own side or primary
> interest in Internet security (because security incidents can cause network
> operators outages), or through general interest and enquiry.
>
> There are plenty of IPv6 security related resources available on the
> Internet that should show up fairly easily with Internet searches. Here are
> some:
>
> Presentations:
>
> IPv6 Deployment - Security Issues Thinking outside the NAT box (Tony Hain)
> http://www.isoc-au.org.au/05ipv6summit/Slides/THainIPv6.pdf
>
> Thoughts on Securing IPv6 (yes, that Mark Newton)
>
> https://ia801706.us.archive.org/12/items/auscert2011slides/mark_newton_v3.pdf
>
> Ipv6 Threats to Communication (Steve Bellovin)
>
> https://www.cs.columbia.edu/~smb/talks/v6-security-2005.pdf
>
> Steve Bellovin could be considered one of the inventors of both network
> and host firewalling. This 1999 paper completely changed my thinking on
> whether security should be done primarily in the network or on the hosts -
> "Distributed Firewalls" -
> https://www.cs.columbia.edu/~smb/papers/distfw.pdf.
>
> Here's an interesting paper that Steve Bellovin and others did which
> leverages IPv6's large address space to provide per-application temporary
> IPv6 addresses:
> "Transient addressing for related processes: Improved firewalling by using
> IPv6 and multiple addresses per host."
> https://www.cs.columbia.edu/~smb/papers/tarp.pdf
>
>
>
> Internet Engineering Task Force RFCs and references:
>
> RFC4864, "Local Network Protection for IPv6", May 2007
> http://www.ietf.org/rfc/rfc4864.txt
>
> RFC4890, "Recommendations for Filtering ICMPv6 Messages in Firewalls",
> March 2008
> https://www.rfc-editor.org/rfc/rfc4890.txt
>
> RFC4942, "IPv6 Transition/Coexistence Security Considerations", September
> 2007
> https://www.rfc-editor.org/rfc/rfc4942.txt
>
> RFC5157, "IPv6 Implications for Network Scanning", March 2008
> https://www.rfc-editor.org/rfc/rfc5157.txt
>
> More documents listed here (IETF IPv6 Operations Working Group)
> http://datatracker.ietf.org/wg/v6ops/documents/
>
> These two RFCs were motivated by either attacks on discovered addresses
> via web server logs, or by the predictability of MAC address derived IPv6
> addresses:
>
> RFC4941, "Privacy Extensions for Stateless Address Autoconfiguration in
> IPv6", September 2007
>
> RFC7217, "A Method for Generating Semantically Opaque Interface
> Identifiers with IPv6 Stateless Address Autoconfiguration (SLAAC)", April
> 2014
>
>
> The more recently formed IETF Operational Security Working group has both
> published RFCs and Internet Drafts relating to network security, including
> IPv6:
> http://datatracker.ietf.org/wg/opsec/documents/
>
>
> And finally, very recently, the Internet Architecture Board (there is no
> higher technical group in the IETF), have published an RFC on host
> firewalling:
>
> RFC7288, "Reflections on Host Firewalls", June 2014
> https://www.rfc-editor.org/rfc/rfc7288.txt
>
>
>
>
> >________________________________
> > From: Mark ZZZ Smith <markzzzsmith at yahoo.com.au>
> >To: Greg Anderson <ganderson at raywhite.com>; Joseph Goldman <
> joe at apcs.com.au>
> >Cc: "ausnog at lists.ausnog.net" <ausnog at lists.ausnog.net>
> >Sent: Saturday, 26 July 2014 1:18 PM
> >Subject: Re: [AusNOG] Globally Routed IPv6 and Windows Firewall
> >
> >
> >
> >Looks like we missed the 10 year anniversary in February of Windows
> having a stateful IPv6 host-based firewall ...
> >
> >
> >http://technet.microsoft.com/library/bb877979
> >
> >
> >
> >
> >>________________________________
> >> From: Mark ZZZ Smith <markzzzsmith at yahoo.com.au>
> >>To: Greg Anderson <ganderson at raywhite.com>; Joseph Goldman <
> joe at apcs.com.au>
> >>Cc: "ausnog at lists.ausnog.net" <ausnog at lists.ausnog.net>
> >>Sent: Saturday, 26 July 2014 1:14 PM
> >>Subject: Re: [AusNOG] Globally Routed IPv6 and Windows Firewall
> >>
> >>
> >>
> >>Why do you assume that IPv6 host based firewalling is going to be less
> effective than IPv4's?
> >>
> >>
> >>Why do you assume hosts haven't been protecting themselves, when there
> is no way or not a reliably way that they can tell if there is an upstream
> NAT or firewall providing adequate protection in the network?
> >>
> >>
> >>Who is protecting your smartphone when you are using it to access the
> Internet? If somebody "in the cloud" is protecting you, how can you be sure
> they're competent? What about when you're using a hotel's Wifi on your
> laptop? Who is protecting you then? What about when you use the Wifi at the
> Ausnog/X/Y/Z conference? At Ausnog, the likely greater threat is attached
> to the same Wifi SSID, not on the Internet ...
> >>
> >>
> >>If your smartphone is connected to both Wifi and xG, how can you be sure
> the apparently existing firewalls in those upstream networks  are providing
> equivalent protection, and protection that is adequate for your specific
> needs?
> >>
> >>
> >>
> >>
> >>
> >>
> >>>________________________________
> >>> From: Greg Anderson <ganderson at raywhite.com>
> >>>To: Joseph Goldman <joe at apcs.com.au>
> >>>Cc: "ausnog at lists.ausnog.net" <ausnog at lists.ausnog.net>
> >>>Sent: Friday, 25 July 2014 1:37 PM
> >>>Subject: Re: [AusNOG] Globally Routed IPv6 and Windows Firewall
> >>>
> >>>
> >>>
> >>>I agree on the difficulties with brute forcing methods, but I
> personally don't consider it a silver bullet.  There are ways to identify
> legitimate IP addresses without brute forcing - log files, traffic
> interception etc.
> >>>
> >>>
> >>>
> >>>On 25 July 2014 13:34, Joseph Goldman <joe at apcs.com.au> wrote:
> >>>
> >>>
> >>>>
> >>>>
> >>>>I think the concern here though is the real 'dumb' home user. NAT
> provides a level of security for inbound attacks to a Personal Computer
> unless specified in port fowarding, so the users have become accustomed to
> that level of security (even if they dont know about it).
> >>>>
> >>>>It was a question that came up in my mind earlier this week too, and
>     not all modem/routers are featured with firewalls to do this - and
>     with pretty much any ISP having to allow BYOD, you can't control if
>     peoples routers will ever have this feature. For business/managed
>     connections I tend to personally go MikroTIK routers so they do have
>     the full featured firewall, and I would definitely be setting up
>     rules for IPv6 once we start our end-user roll-out, but I can't
>     control residential customer xyz's JB Hi-Fi bought D-Link, and I
>     don't really want the helpdesk flooded with calls about attacks and
>     virus' either.
> >>>>
> >>>>The only comfort that I got was that IPv6 is so vast that
>     brute-forcing seems illogical and unlikely to net many results. I
>     will be interested to see others opinions on the matter :)
> >>>>
> >>>>
> >>>>
> >>>>On 25/07/14 13:20, Damien Gardner Jnr wrote:
> >>>>
> >>>>What I do (and we do at work) is run stateful firewalling on the
> home/office router, and don't allow inbound traffic on v6 unless it's for
> an established session.   Same as we did all those years ago when our
> homes/offices had a public /24 (We all had that at home right? ;) ).   It's
> certainly not a new problem :)
> >>>>>
> >>>>>
> >>>>>Cheers,
> >>>>>
> >>>>>DG
> >>>>>
> >>>>>
> >>>>>
> >>>>>On 25 July 2014 13:11, Greg Anderson <ganderson at raywhite.com> wrote:
> >>>>>
> >>>>>Good day Ladies and Gentlemen!
> >>>>>>
> >>>>>>
> >>>>>>I had a quick question because try as I might, anybody I have asked
> this question to so far (and Google) have been unable to answer the
> question for me.
> >>>>>>
> >>>>>>
> >>>>>>With the deployment of a dual stack IPv6 solution either in a
> corporate or residential environment, I expect most users would have a
> single NIC in most cases.
> >>>>>>
> >>>>>>
> >>>>>>For Windows firewall, IPv4 addresses in common cases are not
> globally routed addresses that often have less restrictive firewall rules
> and services running on them (EG SNMP, File/Printer sharing, RDP, Homegroup
> etc).  In these cases, some would often use "Domain" or "Private" firewall
> profiles on these NIC's.
> >>>>>>
> >>>>>>
> >>>>>>With the deployments of IPv6, they will also have local link IPv6
> addresses (fine as they are not globally routed either obviously), and at
> some point many will have a globally routed IPv6 address.  So this means,
> for a given NIC, you will now have:
> >>>>>>
> >>>>>>
> >>>>>>- IPv4 Reserved address for Private local networking
> >>>>>>- IPv6 Reserved address for Private local networking
> >>>>>>- IPv6 Globally routed address (and possibly a second temporary
> address)
> >>>>>>
> >>>>>>
> >>>>>>Suddenly when the deployment of Globally routed IPv6 addresses
> happen: because the NIC has a private profile there is suddenly private
> services exposed to the Internet.  (Let's put our tin foil hat on and
> ignore the difficulties of brute force scanning an IPv6 subnet).
> >>>>>>
> >>>>>>
> >>>>>>Option 1 is obvious - change your NIC's network type to public, and
> if you don't want everything to break reconfigure all your rules to permit
> traffic only from local link addresses (IE - a real pain in the _)
> >>>>>>
> >>>>>>
> >>>>>>Is there an option 2?  Ideally, I would like the public ranges to be
> automatically detected (or specifically reconfigurable) as a globally
> routed IP address range and therefore to be able to apply multiple profiles
> (Public and Private/Domain) to a single NIC.
> >>>>>>
> >>>>>>
> >>>>>>I am considering this from a residential dumb end user perspective
> as well as enterprise - so whilst I would like a technical solution (and I
> am aware those of us smart enough can still firewall at the edge just like
> we do today) - many residential users will not have these skills - they are
> likely to really open themselves up.  So I am interested to see if I am
> missing something very obvious...
> >>>>>>
> >>>>>>
> >>>>>>Thoughts?
> >>>>>>
> >>>>>>
> >>>>>>- Greg
> >>>>>>_______________________________________________
> >>>>>>AusNOG mailing list
> >>>>>>AusNOG at lists.ausnog.net
> >>>>>>http://lists.ausnog.net/mailman/listinfo/ausnog
> >>>>>>
> >>>>>>
> >>>>>
> >>>>>
> >>>>>
> >>>>>
> --
> >>>>>
> >>>>>Damien Gardner Jnr
> >>>>>VK2TDG. Dip EE. GradIEAust
> >>>>>rendrag at rendrag.net -  http://www.rendrag.net/
> >>>>>--
> >>>>>We rode on the winds of the rising storm,
> >>>>> We ran to the sounds of thunder.
> >>>>>We danced among the lightning bolts,
> >>>>> and tore the world asunder
> >>>>>
> >>>>>
> >>>>>_______________________________________________
> AusNOG mailing list AusNOG at lists.ausnog.net
> http://lists.ausnog.net/mailman/listinfo/ausnog
> >>>>
> >>>>_______________________________________________
> >>>>AusNOG mailing list
> >>>>AusNOG at lists.ausnog.net
> >>>>http://lists.ausnog.net/mailman/listinfo/ausnog
> >>>>
> >>>>
> >>>
> >>>
> >>>
> >>>--
> >>>
> >>>
> >>>
> >>>_______________________________________________
> >>>AusNOG mailing list
> >>>AusNOG at lists.ausnog.net
> >>>http://lists.ausnog.net/mailman/listinfo/ausnog
> >>>
> >>>
> >>>
> >>
> >>
> >
> >_______________________________________________
> >AusNOG mailing list
> >AusNOG at lists.ausnog.net
> >http://lists.ausnog.net/mailman/listinfo/ausnog
> >
> >
> >
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ausnog.net/pipermail/ausnog/attachments/20140726/92d286d1/attachment.html>