IP v6 Security

Bo Nilso bnilso@csc.com
Sun, 22 Jul 2001 21:11:48 +0200


Hi! Thanks for this, and all other replies to my question.

A general question: Will it be harder to build FW´s for IPv6 vs IPv4,
keeping in mind the fact that multiple header concept might make it harder
(slower, cpu-consuming) trying to filter and do stateful inspection, as the
data needed for making descions for each paket is not on an predictable
position within each IP packet ( it depends on how many different headers
that exist in the IP packet. I think it will. Am I wrong?

/BosseN
-----------------------------------------------------------------
AVS:
Bo Nilsö, CSC Sweden, Linköping
Mail: bnilso@csc.com
Phone: +46 (0) 13 465 3631
-------------------------------------------------------------------


                                                                                                                
                    Scott Prader                                                                                
                    <gnea@garson.        To:     6bone@ISI.EDU                                                  
                    org>                 cc:                                                                    
                    Sent by:             Subject:     Re: IP v6 Security                                        
                    owner-6bone@I                                                                               
                    SI.EDU                                                                                      
                                                                                                                
                                                                                                                
                    2001-07-21                                                                                  
                    09:01                                                                                       
                                                                                                                
                                                                                                                




* Bo Nilso (bnilso@csc.com) uttered:
> Hi!
>
> Have listen to the mails about DOS attacs on IPv6 network.
>
> I have a more general question: Is there any FIREWALL SW for IP v6? Fuego
> does not have it, Checkpoint does not state to have any product, Cisco
> 12.2T is not anything to use on their PICS FW (as far as I have heard).
> Have anybody else seen anything around? Have anybody geard ANYTHING about
> products in pipeline?

Yes, in Linux kerne 2.4.* there is iptables extensions for ipv6 as well
as many packages and documentation (it's still growing, but usable..
ping6, traceroute6,tracepath6, etc..

         .oO Gnea [gnea at garson dot com] Oo.
            .oO url [http://gnea.net] Oo.

"You can tune a filesystem, but you can't tune a fish." -Kirk McKusick