[LAC-TF] IPv6/NAT/firewalls (Fwd: Re: [ipv6hackers] the end is near (or for IPv6: the beginning)

Fernando Gont fgont at si6networks.com
Wed Jan 15 17:37:21 BRST 2014


FYI (food for thought).

(IPv6 Hackers mailing-list:
<http://lists.si6networks.com/listinfo/ipv6hackers>)


-------- Original Message --------
Subject: Re: [ipv6hackers] the end is near (or for IPv6: the beginning)
Date: Wed, 15 Jan 2014 18:35:24 +0000
From: Edward Lopez <elopez at fortinet.com>
Reply-To: IPv6 Hackers Mailing List <ipv6hackers at lists.si6networks.com>
To: IPv6 Hackers Mailing List <ipv6hackers at lists.si6networks.com>

This is my personal opinion and not necessarily one shared with my company.

IPv4 stateful firewalls have a heavy reliance on NAT functionality as a
means of resolving asymmetric routing issues that would otherwise be
problematic in otherwise multipath routing environments.  Proxy devices
resolve asymmetry as a natural result of explicit proxy functions.  As
IPv6 migration accelerates, and the adoption of native IPv6 addressing
down to endpoints becomes predominant, we will begin to see interesting
issues arise:

- A sharp rise in asymmetry issues with stateful firewalls in multipath
environments
- An increase in direct attacks against IPv6 endpoints, due to the
removal of the NAT boundary
- A strong effort to deploy NAT66 (RFC 6296) for use in FW/CGN boundaries
- A resurgence of proxy-based security
- The need to resolve asymmetry will be is exacerbated by the deployment
of IPv6 anycast services

With the recent allegations that the NSA TAO has compromised a number of
commercial stateful firewall systems, I would think that more
intelligent organizations will be reconsidering their network security
strategies in their migration plans to IPv6

Ed

On Jan 4, 2014, at 12:29 PM, Jens Link
<lists at quux.de<mailto:lists at quux.de>> wrote:

Marc Heuse <mh at mh-sec.de<mailto:mh at mh-sec.de>> writes:

Expect everyone in the USA to be totally surprised when this happens
(like every year in Chicago in Winter when it starts snowing)  ;-)

Or Windows XP support running out. ;-)

Jens
--
----------------------------------------------------------------------------
| Foelderichstr. 40   | 13595 Berlin, Germany           | +49-151-18721264 |
| http://blog.quux.de | jabber:
jenslink at jabber.quux.de<mailto:jenslink at jabber.quux.de> | ---------------  |
----------------------------------------------------------------------------
_______________________________________________
Ipv6hackers mailing list
Ipv6hackers at lists.si6networks.com<mailto:Ipv6hackers at lists.si6networks.com>
http://lists.si6networks.com/listinfo/ipv6hackers



***  Please note that this message and any attachments may contain
confidential
and proprietary material and information and are intended only for the
use of
the intended recipient(s). If you are not the intended recipient, you
are hereby
notified that any review, use, disclosure, dissemination, distribution
or copying
of this message and any attachments is strictly prohibited. If you have
received
this email in error, please immediately notify the sender and destroy
this e-mail
and any attachments and all copies, whether electronic or printed.
Please also note that any views, opinions, conclusions or commitments
expressed
in this message are those of the individual sender and do not
necessarily reflect
the views of Fortinet, Inc., its affiliates, and emails are not binding on
Fortinet and only a writing manually signed by Fortinet's General
Counsel can be
a binding commitment of Fortinet to Fortinet's customers or partners.
Thank you. ***
_______________________________________________
Ipv6hackers mailing list
Ipv6hackers at lists.si6networks.com
http://lists.si6networks.com/listinfo/ipv6hackers






More information about the LACTF mailing list