IPv6
Click on the red underlined text to get to the source
... ICMPv6 by firewalls may have a detrimental effect on the
establishment and maintenance of IPv6 communications. On the other
hand, allowing indiscriminate passage of all ICMPv6 messages can be a
...
... major security risk. This document recommends a set of rules that
seek to balance effective IPv6 communication against the needs of
site security.
...
... RFC1981].
* Providing a means to discover the IPv6 addresses associated
with the link layer address of an interface ...
... link layer address is
discovered given an IPv6 address). Two messages, Inverse
Neighbor Discovery Solicitation and Advertisement messages ...
... Mobile IPv6 Support
* Providing support for some aspects of Mobile IPv6 especially
dealing with the IPv6 Mobile Home Agent ...
... * Providing support for some aspects of Mobile IPv6 especially
dealing with the IPv6 Mobile Home Agent functionality
provided in routers ...
... policy rules, and those passing through end site firewalls can, in
many but by no means all cases, be dropped without damaging IPv6
communications.
...
... MLD) Report and Done messages are sent
with a link-local address as the IPv6 source address, if a valid
...
... is not available (e.g., one has not been configured), the message is
sent with the unspecified address (::) as the IPv6 source address.
Subsequently, the node ...
... or vice versa, but in most cases decisions as to whether or not to
allow them to pass can be made on the basis of local policy without
interfering with IPv6 communications.
The filtering rules ...
... security vulnerabilities that can arise in using the
many different sub-protocols of ICMPv6 in support of IPv6
communication.
A major concern is that it is generally not possible to use IPsec ...
... attacks.
However, the very large address space of IPv6 makes probing a less
effective weapon as compared with IPv4 provided that addresses ...
... destination. Routers
conforming to the IPv6 standards will not forward these packets;
there is no need to configure additional rules to prevent these
...
... For Teredo tunneling [RFC4380] to IPv6 nodes on the site to be
possible, it is essential that the connectivity checking messages are
allowed through the firewall ...
... network. As discussed in
Section 3.2, the risks from port scanning in an IPv6 network are much
less severe, and it is not necessary to filter IPv6 ...
... IPv6 network are much
less severe, and it is not necessary to filter IPv6 Echo Request
messages.
...
... o Parameter Problem (Type 4) - Code 0
Mobile IPv6 messages that are needed to assist mobility:
o Home Agent ...
... tunnel and it is not considered necessary to disable connectivity
checking in IPv6 networks because port scanning is less of a security
risk.
...
... node. These messages must
not be dropped if the node is to successfully participate in an IPv6
network. The exception to this is the Redirect message for which an
explicit policy decision should be taken (see Section 4.4.4).
...
... Router Renumbering (Type 138)
Mobile IPv6 messages that are needed to assist mobility:
o Home Agent ...
...
Pekka Savola created the original IPv6 Security Overview document,
which contained suggestions for ICMPv6 ...
... Deering, S. and R. Hinden, "Internet Protocol, Version 6 (IPv6) Specification", RFC 2460draft, December 1998. ...
... Narten, T., Nordmark, E., and W. Simpson, "Neighbor Discovery for IP Version 6 (IPv6)", RFC 2461draft, December 1998. ...
... Thomson, S. and T. Narten, "IPv6 Stateless Address Autoconfiguration", RFC 2462draft, December 1998. ...
... Deering, S., Fenner, W., and B. Haberman, "Multicast Listener Discovery (MLD) for IPv6", RFC 2710prop, October 1999. ...
... Conta, A., "Extensions to IPv6 Neighbor Discovery for Inverse Discovery Specification", RFC 3122prop, June 2001. ...
... Johnson, D., Perkins, C., and J. Arkko, "Mobility Support in IPv6", RFC 3775prop, June 2004. ...
... Internet Control Message Protocol (ICMPv6) for the Internet Protocol Version 6 (IPv6) Specification", RFC 4443draft, March 2006. ...
... Narten, T. and R. Draves, "Privacy Extensions for Stateless Address Autoconfiguration in IPv6", RFC 3041prop, January 2001. ...
... topology and/or service structure. The same idea could be applied to
IPv6, but this can slow down connection if a host has multiple
addresses ...
... Parameter Problem Code 1 (Unrecognized Next Header) and Code 2
(Unrecognized IPv6 Option) messages may result if a node on the path
(usually the destination ...
... destination
does not implement these capabilities. Hence, these messages need to
be generated and allowed for effective IPv6 communications.
Code 0 (Erroneous Header ...
... Parameter Problem messages. Note that this is not a major
vulnerability in a well-designed IPv6 network because of the
difficulties of performing scanning attacks (see Section 3.2).
...
... unicast addresses as source addresses,
but may be sent to any legal IPv6 address, including multicast and
anycast addresses ...
... RFC4380]: Teredo tunneling to
IPv6 nodes on the site will not be possible if these messages are
blocked. It is not thought that there is a significant risk from
scanning attacks ...
... blocked. It is not thought that there is a significant risk from
scanning attacks on a well-designed IPv6 network (see Section 3.2),
and so connectivity checks should be allowed by default.
...
... Neighbor Advertisements may not match.
The exact functions that these messages will be carrying out depends
on the mechanism being used to configure IPv6 addresses on the link
(Stateless ...
... A.14. Mobile IPv6 Messages ...
... firewalls to
reach the home agent in order for Mobile IPv6 to function. The two
Mobile prefix ...
... are normally resident on the site from behaving as mobile nodes by
dropping Mobile IPv6 messages from these nodes.
...
... filtering system for Linux [netfilter]. When used with IPv6, the
'ip6tables' command is used to configure packet filtering rules for
...
... filtering rules for
the Netfilter system. The script is targeted at a simple enterprise
site that may or may not support Mobile IPv6.
#!/bin/bash
...
... LINK_LOCAL_ADDRS=0
# Configuration option: Change this to 0 if the site does not support
# Mobile IPv6 Home Agents - see Appendix A.14
export HOME_AGENTS ...
... AGENTS_PRESENT=1
# Configuration option: Change this to 0 if the site does not support
# Mobile IPv6 mobile nodes being present on the site -
# see Appendix A.14
...
...
# MOBILE IPv6 MESSAGES
# ====================
...
... # ====================
# If there are mobile ipv6 home agents present on the
# trusted side allow
...