IP v6 Security

[Francis Dupont]

 In your previous mail you wrote:

   A general question: Will it be harder to build FW´s for IPv6 vs IPv4,
   keeping in mind the fact that multiple header concept might make it harder
   (slower, cpu-consuming) trying to filter and do stateful inspection, as the
   data needed for making descions for each paket is not on an predictable
   position within each IP packet ( it depends on how many different headers
   that exist in the IP packet. I think it will. Am I wrong?
   
=> yes and no. The extension header mechanism is easier to use or
to parse/filter than the IPv4 option mechanism, so to filter a IPv6
packet with options is simpler/faster than to filter a IPv4 packet
with options... The real issue is the ratio of packets with options,
this ratio is known to be very low for IPv4, making the IPv4 option
mechanism near useless. The IPv6 extension mechanism is supposed to
fix that so this ratio should be greater for IPv6 and the final result
is not predictable...
My concern about filtering/classifying devices is that CPU speed grows
slower than fiber optic bandwidth: smart (?) processing (i.e. everything
more complex than switching) is becoming more and more hard & expensive
at full fiber speed, perhaps unfeasible if the phenomenon persits...
It is already hard to do more than basic filtering at 1Gbits/s (I know
no commercial product for that).

Regards

Francis.Dupont@enst-bretagne.fr