IPV6 SIMPLE SECURITY CAPABILITIES.

Similar documents
Internet Engineering Task Force (IETF) Request for Comments: 6092 Category: Informational January 2011 ISSN:

Network Address Translators (NATs) and NAT Traversal

Firewalls, Tunnels, and Network Intrusion Detection

Charles Perkins Nokia Research Center 2 July Mobility Support in IPv6 <draft-ietf-mobileip-ipv6-14.txt> Status of This Memo

Category: Standards Track June Mobile IPv6 Support for Dual Stack Hosts and Routers

Introduction to IPv6. IPv6 addresses

Cisco CCIE Security Written.

BIG-IP CGNAT: Implementations. Version 13.0

TCP/IP Protocol Suite

Network Working Group Request for Comments: Nokia Research Center F. Dupont GET/ENST Bretagne June 2004

Sample excerpt. Virtual Private Networks. Contents

Internet Control Message Protocol

IPv6 Neighbor Discovery

IPv6 Neighbor Discovery

Internet Engineering Task Force (IETF) Request for Comments: 6146 Category: Standards Track. I. van Beijnum IMDEA Networks April 2011

IPSec. Overview. Overview. Levente Buttyán

Lecture 33. Firewalls. Firewall Locations in the Network. Castle and Moat Analogy. Firewall Types. Firewall: Illustration. Security April 15, 2005

IPsec NAT Transparency

Personal Firewall Default Rules and Components

Mapping of Address and Port Using Translation

History Page. Barracuda NextGen Firewall F

HIP Host Identity Protocol. October 2007 Patrik Salmela Ericsson

Distributed Systems. 27. Firewalls and Virtual Private Networks Paul Krzyzanowski. Rutgers University. Fall 2013

Table of Contents 1 IPv6 Configuration IPv6 Application Configuration 2-1

IPv6 Protocols and Networks Hadassah College Spring 2018 Wireless Dr. Martin Land

Foreword xxiii Preface xxvii IPv6 Rationale and Features

Chapter 2 Advanced TCP/IP

Network Security: IPsec. Tuomas Aura

Internet Engineering Task Force INTERNET DRAFT. C. Perkins Nokia Research Center R. Droms(ed.) Cisco Systems 1 March 2001

Internet Control Message Protocol (ICMP)

IPv6 Bootcamp Course (5 Days)

VPN and IPsec. Network Administration Using Linux. Virtual Private Network and IPSec 04/2009

BIG-IP CGNAT: Implementations. Version 12.1

Implementing Firewall Technologies

Internet Engineering Task Force INTERNET DRAFT. C. Perkins Nokia Research Center R. Droms(ed.) Cisco Systems 15 April 2001

Network Working Group Request for Comments: W. Simpson Daydreamer H. Soliman Elevate Technologies September 2007

Internet Engineering Task Force (IETF) Ericsson July 2011

LECTURE 8. Mobile IP

IPv6 Neighbor Discovery

Introduction to IPv6. IPv6 addresses

Configuring IPv6 basics

Configuring Flood Protection

Introduction to IPv6. IPv6 addresses

A Border Gateway Protocol 3 (BGP-3) DNS Extensions to Support IP version 6. Path MTU Discovery for IP version 6

Guide to TCP/IP Fourth Edition. Chapter 6: Neighbor Discovery in IPv6

Firepower Threat Defense Site-to-site VPNs

Aeronautical Systems Center

P A R T T W O MOBILE IPv6

Unit 5 - IPv4/ IPv6 Transition Mechanism(8hr) BCT IV/ II Elective - Networking with IPv6

The IPsec protocols. Overview

IPv6 Security (Theory vs Practice) APRICOT 14 Manila, Philippines. Merike Kaeo

Internet Engineering Task Force. C. Perkins Nokia Research Center R. Droms(ed.) Cisco Systems 22 November 2000

IPv6. Copyright 2017 NTT corp. All Rights Reserved. 1

Access Rules. Controlling Network Access

Configuring IPv6 for Gigabit Ethernet Interfaces

Planning for Information Network

Network Interconnection

Request for Comments: Wichorus G. Tsirtsis Qualcomm T. Ernst INRIA K. Nagami INTEC NetCore October 2009

Shim6 Architecture. Geoff Huston IETF-63 August 2005

Network Security: IPsec. Tuomas Aura T Network security Aalto University, Nov-Dec 2014

firewalls perimeter firewall systems firewalls security gateways secure Internet gateways

TCP/IP Networking. Training Details. About Training. About Training. What You'll Learn. Training Time : 9 Hours. Capacity : 12

IPv6 migration challenges and Security

VXLAN Overview: Cisco Nexus 9000 Series Switches

ICS 451: Today's plan

Radware ADC. IPV6 RFCs and Compliance

Junos Security. Chapter 8: IPsec VPNs Juniper Networks, Inc. All rights reserved. Worldwide Education Services

Chapter 8 roadmap. Network Security

Network Working Group Request for Comments: November Unicast UDP Usage Guidelines for Application Designers

Stateful Network Address Translation 64

Remember Extension Headers?

Different Layers Lecture 20

Mapping of Address and Port (MAP) an ISPs Perspective. E. Jordan Gottlieb Principal Engineer Charter Communications

IPv6. IPv4 & IPv6 Header Comparison. Types of IPv6 Addresses. IPv6 Address Scope. IPv6 Header. IPv4 Header. Link-Local

IPv6 Protocol. Does it solve all the security problems of IPv4? Franjo Majstor EMEA Consulting Engineer Cisco Systems, Inc.

Network Address Translation (NAT) Contents. Firewalls. NATs and Firewalls. NATs. What is NAT. Port Ranges. NAT Example

Mobile IP. rek. Petr Grygárek Petr Grygarek, Advanced Computer Networks Technologies 1

IPsec NAT Transparency

LARGE SCALE IP ROUTING LECTURE BY SEBASTIAN GRAF

COMPUTER NETWORK SECURITY

ipv6 hello-interval eigrp

Internet Engineering Task Force (IETF) Obsoletes: 3315, 3633, 3736, 4242, 7083, 7283, 7550 B. Volz

20-CS Cyber Defense Overview Fall, Network Basics

Rocky Mountain IPv6 Summit April 9, 2008

Operational Security Capabilities for IP Network Infrastructure

Network Security - ISA 656 IPsec IPsec Key Management (IKE)

CIS 6930/4930 Computer and Network Security. Topic 8.1 IPsec

Network layer: Overview. Network layer functions IP Routing and forwarding NAT ARP IPv6 Routing

High Availability Synchronization PAN-OS 5.0.3

Packetization Layer Path Maximum Transmission Unit Discovery (PLPMTU) For IPsec Tunnels

Lecture Computer Networks

Stream Control Transmission Protocol (SCTP)

Network layer: Overview. Network Layer Functions

Context Based Access Control (CBAC): Introduction and Configuration

<draft-huitema-v6ops-teredo-04.txt> Expires July 17, 2005 January 17, Teredo: Tunneling IPv6 over UDP through NATs. Status of this memo

Lecture 13 Page 1. Lecture 13 Page 3

Int ernet w orking. Internet Security. Literature: Forouzan: TCP/IP Protocol Suite : Ch 28

CSCE 715: Network Systems Security

IPv6 Neighbor Discovery

Computer Networking: A Top Down Approach Featuring the. Computer Networks with Internet Technology, William

Transcription:

IPV6 SIMPLE SECURITY CAPABILITIES. 50 issues from RFC 6092 edited by J. Woodyatt, Apple Presentation by Olle E. Johansson, Edvina AB.

ABSTRACT The RFC which this presentation is based upon is focused on IPv6 gateway CPEs - home routers, business Internet gateways. The RFC is informational and refers to other RFCs that are standard documents. The RFC was contributed to by a large group of very experienced TCP/IP network engineers

COPYRIGHT FOR THE RFC Copyright Notice Copyright (c) 2011 IETF Trust and the persons identified as the document authors. All rights reserved.

OVERVIEW For the purposes of this document, residential Internet gateways are assumed to be fairly simple devices with a limited subset of the full range of possible features. They function as default routers [RFC4294] for a single local-area network, e.g., an Ethernet network, a Wi-Fi network, or a bridge between two or more such segments. They have only one interface by which they can access the Internet service at any one time, using any of several possible sub-ip mechanisms, including tunnels and transition mechanisms. In referring to the security capabilities of residential gateways, it is reasonable to distinguish between their "interior" network, i.e., the local-area network, and their "exterior" networks, e.g., the public Internet and the networks of Internet service providers. This document is concerned only with the behavior of IP packet filters that police the flow of traffic between the interior IPv6 network and the exterior IPv6 networks of residential Internet gateways.

NOT A STANDARD, BUT VERY USEFUL Even though this RFC is not a standards-track document, it s a very useful document If you refer to this document in your procurement process, you have a good reference Some requirements can of course be discussed - and we hope they will be! Feedback is of course welcome - on Facebook, Twitter or as a comment on our web page.

RECOMMENDED OPERATIONAL GOALS FOR THE FIREWALL Check all traffic to and from Internet for basic sanity Allow tracking of application usage by source and destination network addresses and ports Provide a barrier agains untrusted external influences Allow manually configured exceptions Isolate local network DHCPv6 and DNS resolver services from the public Internet RFC 4864

50 RECOMMENDATIONS Read the RFC for details and references to other documents and web pages. The RFC has much more background material. This is just a checklist based on the RFC to simplify your checks with current products and firewall rulesets.

1. STATELESS FILTERS: MULTICAST SOURCE Packets bearing multicast source address in their outer IPv6 headers MUST NOT be forwarded or transmitted on any interface

2. STATELESS FILTERS: MULTICAST DESTINATION Packets bearing multicast destination addresses in their outer IPv6 headers of equal or narrower scope than the configured scope boundary level of the gateway MUST NOT be forwarded in any direction. The default scope SHOULD be organization-local scope. See RFC 4007 for scopes.

3. STATELESS FILTERS: FORBIDDEN ADDRESSES Packets bearing source and/or destination addresses forbidden to appear in the outer headers of packets transmitted over the public Internet MUST NOT be forwarded. See RFC 3879 and 5156.

4. STATELESS FILTERS: BAD EXTENSION HEADERS Packets bearing deprecated extension headers prior to their first upper-layer-protocol header SHOULD NOT be forwarded or transmitted over any interface. See RFC 2460 and 5095.

5. STATELESS FILTERS: NON-LOCAL ADDRESSES Outbound packets MUST NOT be forwarded if the source address in their outer IPv6 header does not have a unicast prefix configured for use by globally reachable nodes on the interior network.

6. STATELESS FILTERS: LOCAL ADDRESSES ON INBOUND PACKETS Inbound packets MUST NOT be forwarded if the source address in their outer IPv6 header has a global unicast prefix assigned for use by globally reachable nodes on the internal network. Don t accept spoofed addresses.

7. STATELESS FILTERS: UNIQUE LOCAL ADDRESSES By DEFAULT, packets with unique local source and/or destination addresses SHOULD NOT be forwarded to or from the exterior network. ULA: RFC 4193

8. STATELESS FILTERS: DNS QUERIES By DEFAULT, inbound DNS queries received on the exterior interfaces MUST NOT be processed by any integrated DNS resolving server. A gateway with DNS should serve the internal network only.

9. STATELESS FILTERS: DHCPV6 Inbound DHCPv6 discovery packets received on exterior interfaces MUST NOT be processed by any integrated DHCPv6 server or relay agent. A gateway with DHCPv6 should serve the internal network only.

10. CONNECTION-FREE FILTERS: ICMPV6 IPv6 gateways SHOULD NOT forward ICMPv6 "Destination Unreachable" and "Packet Too Big" messages containing IP headers that do not match generic upper-layer transport state records RFC 4890 describes filtering of ICMPv6

11. CONNECTION-FREE FILTERS: APPLICATIONS If application transparency is most important, then a stateful packet filter SHOULD have "endpoint-independent filtering" behavior for generic upper-layer transport protocols. If a more stringent filtering behavior is most important, then a filter SHOULD have "address-dependent filtering" behavior. The filtering behavior MAY be an option configurable by the network administrator, and it MAY be independent of the filtering behavior for other protocols. Filtering behavior SHOULD be endpoint independent by DEFAULT in gateways intended for provisioning without service-provider management. A gateway is said to have "endpoint-independent filtering" behavior when the exterior address is not evaluated when matching a packet with a flow. A gateway is said to have "address-dependent filtering" behavior when the exterior address of a packet is required to match the exterior address for its flow.

12. CONNECTION-FREE FILTERS: TIMEOUT FOR APPLICATIONS Filter state records for generic upper-layer transport protocols MUST NOT be deleted or recycled until an idle timer not less than two minutes has expired without having forwarded a packet matching the state in some configurable amount of time. By DEFAULT, the idle timer for such state records is five minutes.

13. CONNECTION-FREE FILTERS: APPLICATION UPDATES Residential IPv6 gateways SHOULD provide a convenient means to update their firmware securely, for the installation of security patches and other manufacturer-recommended changes The Internet security community is never completely at rest. New attack surfaces, and vulnerabilities in them, are typically discovered faster than they can be patched by normal equipment upgrade cycles. It's therefore important for vendors of residential gateway equipment to provide automatic software updates to patch vulnerabilities as they are discovered.

14. CONNECTION-FREE FILTERS - UDP: UDP TIMEOUTS A state record for a UDP flow where both source and destination ports are outside the well-known port range (ports 0-1023) MUST NOT expire in less than two minutes of idle time. The value of the UDP state record idle timer MAY be configurable. The DEFAULT is five minutes. Based on RFC 4787 which describes best practise for IPv4 UDP filtering

15. CONNECTION-FREE FILTERS - UDP: UDP TIMEOUTS A state record for a UDP flow where one or both of the source and destination ports are in the well-known port range (ports 0-1023) MAY expire after a period of idle time shorter than two minutes to facilitate the operation of the IANAregistered service assigned to the port in question. Based on RFC 4787 which describes best practise for IPv4 UDP filtering

16. CONNECTION-FREE FILTERS - UDP: CONNECTION STATE REFRESH A state record for a UDP flow MUST be refreshed when a packet is forwarded from the interior to the exterior, and it MAY be refreshed when a packet is forwarded in the reverse direction. NAT keepalives should come from the inside.

17. CONNECTION-FREE FILTERS - UDP: APPLICATION TRANSPARENCY If application transparency is most important, then a stateful packet filter SHOULD have "endpoint-independent filtering" behavior for UDP. If a more stringent filtering behavior is most important, then a filter SHOULD have "address-dependent filtering" behavior. The filtering behavior MAY be an option configurable by the network administrator, and it MAY be independent of the filtering behavior for TCP and other protocols. Filtering behavior SHOULD be endpoint independent by DEFAULT in gateways intended for provisioning without service-provider management.

18. CONNECTION-FREE FILTERS - UDP: CONNECTION RELATED ICMP MESSAGES If a gateway forwards a UDP flow, it MUST also forward ICMPv6 "Destination Unreachable" and "Packet Too Big" messages containing UDP headers that match the flow state record. See Path MTU Discovery RFC 1981

19. CONNECTION-FREE FILTERS - UDP: ICMPV6 AND THE CONNECTION STATE Receipt of any sort of ICMPv6 message MUST NOT terminate the state record for a UDP flow.

20. CONNECTION-FREE FILTERS - UDP: UDP-LITE IS A SEPARATE FLOW UDP-Lite flows [RFC3828] SHOULD be handled in the same way as UDP flows, except that the upper-layer transport protocol identifier for UDP-Lite is not the same as UDP; therefore, UDP packets MUST NOT match UDP-Lite state records, and vice versa.

21. CONNECTION-FREE FILTERS - IPSEC: IPSEC FILTERING - AH In their DEFAULT operating mode, IPv6 gateways MUST NOT prohibit the forwarding of packets, to and from legitimate node addresses, with destination extension headers of type "Authentication Header (AH)" [RFC4302] in their outer IP extension header chain. The Internet Protocol security (IPsec) suite offers greater flexibility and better overall security than the simple security of stateful packet filtering at network perimeters. Therefore, residential IPv6 gateways need not prohibit IPsec traffic flows.

22. CONNECTION-FREE FILTERS - IPSEC: IPSEC FILTERING -ESP In their DEFAULT operating mode, IPv6 gateways MUST NOT prohibit the forwarding of packets, to and from legitimate node addresses, with an upper-layer protocol of type "Encapsulating Security Payload (ESP)" [RFC4303] in their outer IP extension header chain.

23. CONNECTION-FREE FILTERS - IPSEC: IPSEC RELATED ICMPV6 If a gateway forwards an ESP flow, it MUST also forward (in the reverse direction) ICMPv6 "Destination Unreachable" and "Packet Too Big" messages containing ESP headers that match the flow state record.

24. CONNECTION-FREE FILTERS - IPSEC: IKE FOR IPSEC In their DEFAULT operating mode, IPv6 gateways MUST NOT prohibit the forwarding of any UDP packets, to and from legitimate node addresses, with a destination port of 500, i.e., the port reserved by IANA for the Internet Key Exchange (IKE) protocol IKE - see RFC 5996

25. CONNECTION-FREE FILTERS - IPSEC: ESP FILTERS In all operating modes, IPv6 gateways SHOULD use filter state records for Encapsulating Security Payload (ESP) [RFC4303] that are indexable by a 3-tuple comprising the interior node address the exterior node address the ESP protocol identifier. In particular, the IPv4/NAT method of indexing state records also by the security parameters index (SPI) SHOULD NOT be used. Likewise, any mechanism that depends on detection of Internet Key Exchange (IKE) [RFC5996] initiations SHOULD NOT be used.

26. CONNECTION-FREE FILTERS - IPSEC: HOST IDENTITY PROTOCOL In their DEFAULT operating mode, IPv6 gateways MUST NOT prohibit the forwarding of packets, to and from legitimate node addresses, with destination extension headers of type "Host Identity Protocol (HIP)" in their outer IP extension header chain. The Host Identity Protocol (HIP) is a secure mechanism for establishing host identity and secure communications between authenticated hosts. Residential IPv6 gateways need not prohibit inbound HIP flows. HIP - See RFC 5201

27. CONNECTION-FREE FILTERS - MOBILITY: MOBILE IPV6 The state records for flows initiated by outbound packets that bear a Home Address destination option are distinguished by the addition of the home address of the flow as well as the interior care-of address. IPv6 gateways MUST NOT prohibit the forwarding of any inbound packets bearing type 2 routing headers, which otherwise match a flow state record, and where A) the address in the destination field of the IPv6 header matches the interior careof address of the flow, and B) the Home Address field in the Type 2 Routing Header matches the home address of the flow. Not all usage scenarios of mobility support in IPv6 are expected to be compatible with IPv6 simple security. In particular, exterior mobile nodes are expected to be prohibited from establishing bindings with interior correspondent nodes by the filtering of unsolicited inbound Mobility Header messages, unless they are the subject of an IPsec security policy. IPv6 Mobile IP - RFC 3775

28. CONNECTION-FREE FILTERS - MOBILITY: MOBILITY FLOWS Valid sequences of Mobility Header [RFC3775] packets MUST be forwarded for all outbound and explicitly permitted inbound Mobility Header flows.

29. CONNECTION-FREE FILTERS - MOBILITY: MOBILITY FLOWS If a gateway forwards a Mobility Header [RFC3775] flow, then it MUST also forward, in both directions, the IPv4 and IPv6 packets that are encapsulated in IPv6 associated with the tunnel between the home agent and the correspondent node.

30. CONNECTION-FREE FILTERS - MOBILITY: MOBILITY FLOWS - ICMPV6 If a gateway forwards a Mobility Header [RFC3775] flow, then it MUST also forward (in the reverse direction) ICMPv6 "Destination Unreachable" and "Packet Too Big" messages containing any headers that match the associated flow state records.

31. CONNECTION-ORIENTED FILTERS: TCP TCP HANDSHAKES All valid sequences of TCP packets (defined in [RFC0793]) MUST be forwarded for outbound flows and explicitly permitted inbound flows. In particular, both the normal TCP 3-way handshake mode of operation and the simultaneous-open mode of operation MUST be supported. See RFC 793

32. CONNECTION-ORIENTED FILTERS: TCP TCP WINDOW HANDLING The TCP window invariant MUST NOT be enforced on flows for which the filter did not detect whether the window-scale option was sent in the 3-way handshake or simultaneousopen. See RFC 1323

33. CONNECTION-ORIENTED FILTERS: TCP TCP STATEFUL FILTERS If application transparency is most important, then a stateful packet filter SHOULD have "endpoint-independent filtering" behavior for TCP. If a more stringent filtering behavior is most important, then a filter SHOULD have "address-dependent filtering behavior. The filtering behavior MAY be an option configurable by the network administrator, and it MAY be independent of the filtering behavior for UDP and other protocols. Filtering behavior SHOULD be endpoint independent by DEFAULT in gateways intended for provisioning without service-provider management.

34. CONNECTION-ORIENTED FILTERS: TCP UNSOLICITED TCP SYN PACKETS By DEFAULT, a gateway MUST respond with an ICMPv6 "Destination Unreachable" error code 1 (Communication with destination administratively prohibited) to any unsolicited inbound SYN packet after waiting at least 6 seconds without first forwarding the associated outbound SYN or SYN/ACK from the interior peer.

35. CONNECTION-ORIENTED FILTERS: TCP TCP SESSION TIMEOUTS If a gateway cannot determine whether the endpoints of a TCP flow are active, then it MAY abandon the state record if it has been idle for some time. In such cases, the value of the "established flow idle-timeout" MUST NOT be less than two hours four minutes, as discussed in [RFC5382]. The value of the "transitory flow idle-timeout" MUST NOT be less than four minutes. The value of the idle-timeouts MAY be configurable by the network administrator.

36. CONNECTION-ORIENTED FILTERS: TCP ICMPV6 RELATED TO TCP SESSION If a gateway forwards a TCP flow, it MUST also forward ICMPv6 "Destination Unreachable" and "Packet Too Big" messages containing TCP headers that match the flow state record. Several TCP mechanisms depend on the reception of ICMPv6 error messages triggered by the transmission of TCP segments. One such mechanism is path MTU discovery, which is required for correct operation of TCP.

37. CONNECTION-ORIENTED FILTERS: TCP ICMPV6 RELATED TO TCP SESSION STATES Receipt of any sort of ICMPv6 message MUST NOT terminate the state record for a TCP flow. Several TCP mechanisms depend on the reception of ICMPv6 error messages triggered by the transmission of TCP segments. One such mechanism is path MTU discovery, which is required for correct operation of TCP.

38. CONNECTION-ORIENTED FILTERS: SCTP SCTP CONNECTION SETUP All valid sequences of SCTP packets (defined in [RFC4960]) MUST be forwarded for outbound associations and explicitly permitted inbound associations. In particular, both the normal SCTP association establishment and the simultaneous-open mode of operation MUST be supported. The RFC this presentation is based upon - 6092 - includes a lot of information about SCTP security

39. CONNECTION-ORIENTED FILTERS: SCTP UNSOLICITED INIT REQUESTS By DEFAULT, a gateway MUST respond with an ICMPv6 "Destination Unreachable" error code 1 (Communication with destination administratively prohibited), to any unsolicited inbound INIT packet after waiting at least 6 seconds without first forwarding the associated outbound INIT from the interior peer.

40. CONNECTION-ORIENTED FILTERS: SCTP UNSOLICITED INIT REQUESTS By DEFAULT, a gateway MUST respond with an ICMPv6 "Destination Unreachable" error code 1 (Communication with destination administratively prohibited), to any unsolicited inbound INIT packet after waiting at least 6 seconds without first forwarding the associated outbound INIT from the interior peer.

41. CONNECTION-ORIENTED FILTERS: SCTP SCTP RELATED ICMPV6 If a gateway forwards an SCTP association, it MUST also forward ICMPv6 "Destination Unreachable" and "Packet Too Big" messages containing SCTP headers that match the association state record.

42. CONNECTION-ORIENTED FILTERS: SCTP SCTP RELATED ICMPV6 Receipt of any sort of ICMPv6 message MUST NOT terminate the state record for an SCTP association.

43. CONNECTION-ORIENTED FILTERS: DCCP DCCP FLOWS All valid sequences of DCCP packets (defined in [RFC4340]) MUST be forwarded for all flows to exterior servers, and for any flows to interior servers that have explicitly permitted service codes. Datagram Congestion Control protocol - DCCP - RFC 4340

44. CONNECTION-ORIENTED FILTERS: DCCP DCCP FLOW TIMEOUTS A gateway MAY abandon a DCCP state record if it has been idle for some time. In such cases, the value of the "open flow idle-timeout" MUST NOT be less than two hours four minutes. The value of the "transitory flow idle-timeout" MUST NOT be less than eight minutes. The value of the idle-timeouts MAY be configurable by the network administrator.

45. CONNECTION-ORIENTED FILTERS: DCCP DCCP FLOW & ICMPV6 If an Internet gateway forwards a DCCP flow, it MUST also forward ICMPv6 "Destination Unreachable" and "Packet Too Big" messages containing DCCP headers that match the flow state record.

46. CONNECTION-ORIENTED FILTERS: DCCP DCCP FLOW & ICMPV6 Receipt of any sort of ICMPv6 message MUST NOT terminate the state record for a DCCP flow.

47. CONNECTION-ORIENTED FILTERS THE SHIM6 PROTOCOL Valid sequences of packets bearing Shim6 payload extension headers in their outer IP extension header chains MUST be forwarded for all outbound and explicitly permitted flows. The content of the Shim6 payload extension header MAY be ignored for the purpose of state tracking. Level 3 Multihoming Shim Protocol for IPv6 RFC 5533

47. CONNECTION-ORIENTED FILTERS THE SHIM6 PROTOCOL Valid sequences of packets bearing Shim6 payload extension headers in their outer IP extension header chains MUST be forwarded for all outbound and explicitly permitted flows. The content of the Shim6 payload extension header MAY be ignored for the purpose of state tracking. Level 3 Multihoming Shim Protocol for IPv6 RFC 5533

48. PUBLISHING SERVICES: INTERNAL SERVICES Internet gateways with IPv6 simple security capabilities SHOULD implement a protocol to permit applications to solicit inbound traffic without advance knowledge of the addresses of exterior nodes with which they expect to communicate. This is very vague, since the IETF has not agreed on a recommendation.

49. PUBLISHING SERVICES: DISABLING THE STATEFUL FIREWALL Internet gateways with IPv6 simple security capabilities MUST provide an easily selected configuration option that permits a "transparent mode" of operation that forwards all unsolicited flows regardless of forwarding direction, i.e., not to use the IPv6 simple security capabilities of the gateway. The transparent mode of operation MAY be the default configuration. This assumes that the IPv6 simple security capabilities replace the role of the IPv4 NAT.

50. FIREWALL MANAGEMENT: DO NOT LET THE HACKER TAKE OVER... By DEFAULT, subscriber-managed residential gateways MUST NOT offer management application services to the exterior network. This assumes that the IPv6 simple security capabilities replace the role of the IPv4 NAT.

NOTE The security functions described in this document may be considered redundant in the event that all IPv6 hosts using a particular gateway have their own IPv6 host firewall capabilities enabled. At the time of this writing, the vast majority of commercially available operating systems with support for IPv6 include IPv6 host firewall capability. The IETF makes no statement, expressed or implied, as to whether using the capabilities described in this document ultimately improves security for any individual users or for the Internet community as a whole.

NOW, GO READ THE COMPLETE RFC. http://tools.ietf.org/html/rfc6092 TWITTER @IPV6FRIDAY

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback