[AusNOG] Globally Routed IPv6 and Windows Firewall
Glen Turner
gdt at gdt.id.au
Sat Jul 26 21:32:31 EST 2014
> I am exposing myself to IPv6 in a personal fashion as I do not have any
> other avenues. I cannot afford high end gear to do this.
You don't need high-end gear to learn about IPv6. For example, my service
at home quite happily runs global IPv6 via a cheap USB ADSL modem, a
RaspberryPi, and a $11 fast ethernet switch:
http://vk5tu.livejournal.com/37206.html
Of course I could have bought all of that in one box, but building your
own router is a good way to learn about IPv6.
You'll notice the configuration has deep-packet inspection and statefull
firewalling for incoming IPv6 connections. This gives the same
"protection" as deep-packet inspection and network address translation for
IPv4. [1]
There has been considerable thought to the archiecture and security of
home networks using IPv6. This draft from the IETF
http://tools.ietf.org/html/draft-ietf-homenet-arch-16
outlines the current approaches and issues.
Best wishes, glen
[1] Quotes around "protection" because in the end the network is the wrong
place to be implementing most security. For example, stateful inspection
-- either by firewall or NAT -- is easily defeated by "exfiltration"-style
attacks which open a connection from the inside to the outside (eg, by
exploiting a flaw in a web browser). Security isn't really much to do with
networking protocols, but with access, authorisation and auditing of
processes on each host. Unfortunately we've made worse progress in
practical implementations of this than almost any other technology in
computing, so we're currently having to hack together short-term, never
completely satisfactory counter-measures which run on the network.
--
Glen Turner <http://www.gdt.id.au/~gdt/>
More information about the AusNOG
mailing list