Rules for IPV6 (native) and IPV4 (Tunneled) Traffic

[1GA_OP]

Manny,
Thanks for your expertise... that what I thought but did not realize how this translated into home networks as well.

Again, Thanks for helping me understand this.

[Escalader]

Thanks Manny!

Now I owe you 2 Moosehead ales! They may be illegal down there! 6%!

[KronckeW]

Thanks Manny!

Now I owe you 2 Moosehead ales! They may be illegal down there! 6%!

speaking of a couple of moosehead ales, here's what happens

[Manny Carvalho]

Thanks Manny!

Now I owe you 2 Moosehead ales! They may be illegal down there! 6%!

Thanks. I'll collect it.

[Escalader]

Manny:

I am shocked you would collect after you saw the image posted of the devestating effects!

[KronckeW]

the moose on the right is also obviously under age!

[Escalader]

Hello:

There is a US Cert paper out on blocking/filtering of IPv6 traffic. Here is it's title.

Technical Information Paper TIP-12-225-01
Fundamental Filtering of IPv6 Network Traffic 1
Tim Stahl, Michael King, Robert Renstrom

Here is an excerpt:

• All traffic from these address or ranges should be blocked both inbound and outbound.
o The loopback address is  ::1/128.
5
 Can be displayed as
• 0:0:0:0:0:0:0:1
• ::1
o The unspecified address, similar to the IPv4 address 0.0.0.0, is  ::/128, and is
only used when an interface doesn’t know what its link local address is yet.
6
 Can be displayed as
• 0:0:0:0:0:0:0:0
• ::/0
• ::
 Depending on your IPv6 implementation, this address may be seen within
your network but should not appear on the internet or be routed to it.
o The IPv4-mapped address is  ::FFFF:0:0/96.
7
 The IPv4 address 129.107.86.36 can be displayed as
• 0:0:0:0:0:FFFF:129.107.86.36
• ::FFFF:129.107.86.36
 IPv4-mapped addresses should not be confused with the similar, and
deprecated, IPv4-compatible addresses. IPv4-mapped addresses can be used
in a dual-stack environment to map IPv4 addresses to IPv6 addresses allowing
IPv6-only applications to operate with IPv4 nodes.
 While they can be used internally on your network, they are not routable in the
internet.
8
o Link-local unicast addresses
9
 fe80::/10, fe90::/10, fea0::/10, feb0::/10
 Should be treated similarly to the private address space in IPv4. Expect to see
these on your internal network, but don’t allow it to cross your network border
in either direction.
o Site-local addresses are  fc00::/7.
10
 This range functions the same as the IPv4 private address ranges

Now this is highly complex for anybody (me included) and I don't have the skills or time or patience to harden my OP Pro FW settings to implement rules for these new addresses.

So what is my question?

Does the new version of OP FW pro take care of these rules (hundreds of them) for IPv6 by creating presets? what about user LAN settings?

Please let the thread know what us users have to do, if anything? So far not knowing I other than make the same tick Manny showed me months ago.

[Manny Carvalho]

OP can handle IPv6 but like almost all IPv4 rules you have to make them yourself unless you use the available presets. OP, for example, won't have a built in rule, but do look in the low level rules there should be one there that mentions IPv6, to block the loopback address [which by the way should not always be blocked]. Most equipment can't yet handle, although Windows can, the IPv6 protocol so on old machines this won't matter. For example, my new router can handle IPv6 but none of my network cards can so it'll be a while for me - maybe a long while - before I turn on my router's IPv6 capability.

For right now, unless you have an IPv6 network capable card, don't worry about it and leave it turned off. There's nothing to harden right now. Some time in the future when IPv6 becomes more common, and it will, then we will have to deal with it but for now it's safe to ignore it for a little bit longer. Mostly it's knowing how to handle the new IPv6 address terminology.

Edit: I forgot, the IPv6 ICMP rules are built in.

[Escalader]

OP can handle IPv6 but like almost all IPv4 rules you have to make them yourself unless you use the available presets. OP, for example, won't have a built in rule, but do look in the low level rules there should be one there that mentions IPv6, to block the loopback address [which by the way should not always be blocked]. Most equipment can't yet handle, although Windows can, the IPv6 protocol so on old machines this won't matter. For example, my new router can handle IPv6 but none of my network cards can so it'll be a while for me - maybe a long while - before I turn on my router's IPv6 capability.

For right now, unless you have an IPv6 network capable card, don't worry about it and leave it turned off. There's nothing to harden right now. Some time in the future when IPv6 becomes more common, and it will, then we will have to deal with it but for now it's safe to ignore it for a little bit longer. Mostly it's knowing how to handle the new IPv6 address terminology.

Edit: I forgot, the IPv6 ICMP rules are built in.

Hi Manny:

I have taken your advice (again!) and looked at my OP FW Pro 64 bit ICMPv6 settings. I have them ALL blank in and out so that means (I hope) that none of those connections will be allowed.

I have also looked at the low level rules and set up blocking rules on any mention of IPv6.



Now I can enjoy life by watching the log for attempt by svchost to go out!

Wow here is one already! Blocked by my rule!

1:39:23 PM SVCHOST.EXE OUT UDPv6 ff02::1:2 547 *Block Outbound UDP to DHCPv6s 0 0


In the US Cert paper, ff indicates it is a multicast address.

Here for added excitement is a section on tunneling which can be used to bypass current Firewall blocking rules.

Tunneling
If an organization cannot obtain an IPv6 address natively, then creating a tunnel is a viable
method to establish connectivity between an IPv4 and another running IPv6. Tunneling can
provide the connectivity, but it also presents security considerations since it can also provide
a method to surreptitiously gain access to a network. The suggestions listed below help to
mitigate the security issues.
26
Internet Engineering Task Force, RFC 4065, http://tools.ietf.org/html/rfc4065. Last accessed on July 5, 2012.
27
Internet Engineering Task Force, RFC 4443, http://tools.ietf.org/html/rfc4443. Last accessed on July 5, 2012.
28
IANA ICMPv6
TLP: GREEN
TLP: GREEN
US-CERT Technical Information Paper – TIP-12-225-01 Page 8 of 10
o 6to4 tunneling
 6to4 addresses are  2002::/16.
29
The 6to4 addresses may be routed
when the site is running a 6to4 relay or offering a 6to4 transit service. If not,
then can be blocked.
o Teredo /Miredo (Unix, Linux) tunneling
 Teredo addresses are  2001::/32.
30
• If you aren’t using or allowing this type of tunneling, these addresses
can be blocked.
o Intra-site Automatic Tunnel Addressing Protocol (ISATAP tunneling)
• Filter for this string  0000:5EFEfollowed by the 32-bit IPv4
address).
• Additional tunneling information
o Tunneled IPv6 within IPv4 traffic should be isolated to IPv4
protocol 41.
o Tunneled IPv6 within IPv6 will contain a “next header” value
of 41. This indicates that the type of packet contained within
the IPv6 packet is also IPv6, where you would normally expect
this to be ICMPv4 (next header value of 1), TCP (next header
value of 6) or some other higher level protocol or possibly an
extension header like a fragmentation or routing extension
header.
• Organizations that do not yet use IPv6 should block all native and
tunneled IPv6 traffic at their firewalls. Note that such blocking limits
testing and evaluation of IPv6 and IPv6 tunneling technologies for
future deployment. To permit such use, the firewall administrator can
selectively unblock IPv6 or the specific tunneling technologies of
interest for use by the authorized testers.
31
• “Use access control lists at border routers to block protocols 41 (used
by 6to4), 43, 44, 58, 59, 60, and 192.88.99.1 (default anycast address
of some 6to4 systems) would be a good place to start.”