On Wed, Jan 5, 2011 at 9:39 AM, Iljitsch van Beijnum <iljitsch@muada.com> wrote:
A (relatively) easy way to avoid this problem is to either use a stateful firewall that only allows internally initiated sessions, or a filter that lists only addresses that are known to be in use.
It would certainly be nice to have a stateful firewall on every single LAN connection. Were there high-speed, stateful firewalls in 1994? Perhaps the IPng folks had this solution in mind, but left it out of the standards process. No doubt they all own stock in SonicWall and are eagerly awaiting the day when "Anonymous" takes down a major ISP every day with a simple attack that has been known to exist, but not addressed, for many years.
You must also realize that the stateful firewall has the same problems
Uh, not exactly...
as the router. It must include a list of allocated IPv6 addresses on each subnet in order to be able to ignore other traffic. While this
Uh, no it doesn't. It just needs a list of the hosts which are permitted to receive inbound connections from the outside. That's the whole point of the stateful in stateful firewall... It can dynamically allow outbound sessions and only needs to be open for hosts that are supposed to receive external session initiations. Since that list is relatively small and you probably need to maintain it anyway, I'm not really seeing a problem here.
can certainly be accomplished, it would be much easier to simply list those addresses in the router, which would avoid the expense of any product typically called a "stateful firewall." In either case, you are now maintaining a list of valid addresses for every subnet on the router, and disabling NDP for any other addresses. I agree with you, this knob should be offered by vendors in addition to my list of possible vendor solutions.
Except that routers don't (usually) have the ability to do dynamic outbound filtration which means that you have the scaling problem you've described of having to list every host on the net. If the router does have this ability, then, the router is, by definition, a stateful firewall.
On Wed, Jan 5, 2011 at 9:39 AM, Iljitsch van Beijnum <iljitsch@muada.com> wrote:
Sparse subnets in IPv6 are a feature, not a bug. They're not going to go away.
I do not conceptually disagree with sparse subnets. With the equipment limitations of today, they are a plan to fail. Let's hope that all vendors catch up to this before malicious people/groups.
There are risks with sparse subnets that have been inadequately addressed for some of their failure modes at this time. I wouldn't go so far as saying they are a plan to fail. In most cases, most networks shouldn't be susceptible to an externally initiated ND attack in the first place because those should mostly be blocked at your border except for hosts that provide services to the larger internet. Owen