34 Replies Latest reply on Oct 30, 2013 6:14 PM by pandom_

    Firewalls and IPv6.

    Brandon Carroll

      This weeks thought was inspired by a previous post by Nick Buraglio that discussed how people are dealing with integration of IPv6 and QoS.  I've always been a big fan of IPv6 and have taught the Cisco IP6FD course for many years.  The Cisco IOS that I've worked with has IPv6 capability for Zone-Based Policy Firewalls, and the Cisco ASA also supports IPv6.  I'm curios how IPv6 is being deployed with Firewalls.

       

      It's obvios that the more deployments of IPv6 we have the more IPv6 traffic our Firewalls are going to see (or should see.)  I've seen some dual-stack deployments where IPv6 traffic rides the same pipes as IPv4, which includes the firewall.  Other networks that I've encountered have taken a different approach in regards to IPv6.  Some enterprises are keeping IPv6 separate in routers, firewalls and so on.  This of course means I need a separate firewall for IPv6, which means I'm creating separate policy for IPv6 and IPv4. 

       

       

      So today I'm wondering two things.

       

      1. How are you deploying IPv6 with your firewalls?  Dual Stack Firewalls or on separate entities?
      2. If you are deploying them as separate entities, how are you managing them?
        • Re: Firewalls and IPv6.
          Aaron Denning

          We havent even started to talk about doing this yet which ive told our Network guys is dumb we need to at least make a plan if nothing else. but im just the dumb monitoring guy so i have no idea what im talking about...

          • Re: Firewalls and IPv6.
            wbrown

            Anyone that says they're not deploying IPv6 is either stuck on pre-WinXP workstations and pre-Win2008 servers, or not fully aware of what is in their environment.

             

            We don't have an official plan on migration or rollout.  However, I am disabling IPv6 routing and CEF where possible as well as actively blocking v6 traffic (both native v6 and translation protocols such as Toredo) on all my firewalls.  This at least helps prevent ad-hoc v6 networks from growing and causing unknown issues.

            1 of 1 people found this helpful
              • Re: Firewalls and IPv6.
                Brandon Carroll

                And that's a great point.  Even if you're not planning a deployment you have to factor in where it's enabled by default and address it.  Too many networks running it ad-hoc is a security concern that most overlook.

                • Re: Firewalls and IPv6.
                  deverts

                  wbrown,

                   

                  Would you/could you share some of the steps you've taken and how? I've tried to do a little of this, but it seems the Microsoft has embedded IPv6 into its code. Every attempt I've made to get control on the network side has resulted in broken apps (particularly MS apps).

                   

                  D

                    • Re: Firewalls and IPv6.
                      wbrown

                      Below is the ACL that I put at the start of my ACLs in my Cisco firewalls.

                      The "any6" keyword is available in version 9.x and above.  The firmware versions below that require separate ACLs for v4 and v6 traffic.

                      The v6-only ACLs have a single line: deny ip any any.

                       

                      If anyone has tunneling protocols that I don't have listed, please feel free to share and I'll update the ACL with the additions.

                       

                      Protocol numbers per http://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml

                      Port numbers per http://www.iana.org/assignments/service-names-port-numbers/service-names-port-numbers.xhtml

                       

                      41 - IPv6 encapsulation

                      43 - IPv6 Routing header

                      44 - IPv6 fragment header

                      58 - IPv6 ICMP

                      59 - No next header for IPv6

                      60 - Destination options for IPv6

                       

                      Port 3544 - Toredo port

                      Port 3653 - TSP signaling RFC 5572

                       

                      access-list CAMPUS-IN extended deny ip any6 any

                      access-list CAMPUS-IN extended deny ip any any6

                      access-list CAMPUS-IN extended deny 41 any any

                      access-list CAMPUS-IN extended deny 43 any any

                      access-list CAMPUS-IN extended deny 44 any any

                      access-list CAMPUS-IN extended deny icmp6 any any

                      access-list CAMPUS-IN extended deny 59 any any

                      access-list CAMPUS-IN extended deny 60 any any

                      access-list CAMPUS-IN extended deny 140 any any

                      access-list CAMPUS-IN extended deny tcp any any eq 3544

                      access-list CAMPUS-IN extended deny udp any any eq 3544

                      access-list CAMPUS-IN extended deny tcp any any eq 3653

                      access-list CAMPUS-IN extended deny udp any any eq 3653

                       

                       

                      At the moment I cannot find any config examples where I was able to disable v6 routing and CEF.  I have so few devices that allow me to do so that I haven't written an NCM policy to enforce it and I don't remember which devices they are.  When I find an example I'll post it here.

                      I do have a number of devices where the commands are present to enable v6 CEF but the "no" form of the command has no effect.

                        • Re: Firewalls and IPv6.
                          deverts

                          You just became my hero! For this week, anyhow.  I've seen a ton of things on how to do this, and I've tried them...with failure. But sometimes, simple is the best method. Of course, I'll need to upgrade all my 8.2(5) ASAs to 9.x now, but that should be easy enough since the ASAs are very simple configs and don't have a ton of NATs that need to be converted.

                           

                          Many thanks!

                          D

                            • Re: Firewalls and IPv6.
                              wbrown

                              Cool.

                               

                              Meantime, with the exception of the first 2 lines, you can implement that ACL on your existing 8.2 ASAs.  My 8.2 boxes have a v6 ACL applied to the interfaces as well to block any-any.

                              The 8.2(x) ASA's interface can have 1 v4 ACL applied in each direction as well as 1 v6 ACL applied in each direction, for a total of 4 ACLs that can be applied to an interface.

                              My rule for the v6 ACL on an 8.2 ASA is:

                                   ipv6 access-list V6-DENYALL deny ip any any

                              Which is then applied just like the v4 ACL:

                                   access-group V6-DENYALL in interface CAMPUS

                      • Re: Firewalls and IPv6.
                        Aaron Denning

                        i think our guys are stuck in the past and just hate the fact that its a big change for them and it will also put work on them and our network guys are kinda lazy if it cant be done in 10 mins its gonna take them days to do it because they will literally do 10 mins of work then leave. but hopefully i can get a bug in my boss' ear to start the change to IPV6.

                        • Re: Firewalls and IPv6.
                          xbod

                          We take the same approach as wbrown, block it where we can and keep it disabled on our devices.

                          1 of 1 people found this helpful
                          • Re: Firewalls and IPv6.
                            syldra

                            Same as wbrown and xbod, block and disable for now. We are not ready, but at least I'm smart enough to know it.

                            • Re: Firewalls and IPv6.
                              Kurt H
                              1. How are you deploying IPv6 with your firewalls?  Dual Stack Firewalls or on separate entities? We have dual stack firewalls, but are not deploying IPv6 to them right now.
                              2. If you are deploying them as separate entities, how are you managing them? With Orion, and manual configuration changes as needed.
                              • Re: Firewalls and IPv6.
                                802jr

                                We have gone as far as disabling the IPv6 Stack on all Win7 and Server 2008. We try not to manage these as we are not ready for it. Sad to say that our techs have a hard time with IPv4 so throwing in IPv6 in the mix would just throw then for an endless loop.

                                • Re: Firewalls and IPv6.
                                  bsciencefiction.tv

                                  We actually have a dedicated ipv6 team for our rollout.  They are quite secretive in their implementation.  One day they may pull back the curtain and share with the rest of us.

                                    • Re: Firewalls and IPv6.
                                      Brandon Carroll

                                      Interesting.  I wonder if they are tunneling through your network right now or if it's independent.  Stealth mode always interests me.  Why are they so secretive?  Maybe because they are learning themselves, want job security, have sensitive data on there...   who knows.  Sounds pretty cool though.

                                    • Re: Firewalls and IPv6.
                                      cahunt

                                      We have no team for rollout; and not even sure if our Engineer's have a plan exactly. Both would be nice. As we have a couple of area's that have IPv6 now enabled for a few specific services or items; but for the most part it is blocked in just about every area. current/Old VPN, blocks all ipv6, and I am sure the new VPN Box that is phasing has at least a few ipv6 arguments to restrict the triaffic to designated area's. Most desktops though do not have the ipv6 stack disabled. Some days we are just too big...

                                      • Re: Firewalls and IPv6.
                                        freid.42

                                        We have not even started to think about IPv6 in our company. We have even blocked it from leaving our network. I think we would tunnel IPV6 form the outside to the inside if we ever needed too.

                                        • Re: Firewalls and IPv6.
                                          th3cap3

                                          I am in the same boat as bsciencefiction.tv, our IPv6 team is very hush hush about it all. I kind of understand where they are coming from though, IPv6 is an enigma to most people and I am sure they would rather not have to try and explain what it is or why it should be implemented. They have larger concerns to deal with :-)

                                          • Re: Firewalls and IPv6.
                                            Brandon Carroll

                                            I knew IPv6 was not the "hot topic" in IT departments today, but I'm shocked that more people aren't in the midst of a deployment or integration.  This could stem from us being spoiled with IPv4 addresses here in the United States.  Either way, I think more companies should be active on the IPv6 front.

                                            • Re: Firewalls and IPv6.
                                              Kevin Rak

                                              We have a managed firewall and I hadn't really put much thought to this question. Internally we're all IPv4 and that's still suiting us for the moment. I'll have to ask them this question though. Thanks for the thought Brandon!

                                              • Re: Firewalls and IPv6.
                                                RichardLetts

                                                As the manager of a NOC with a sizeable number of IPv6/ipv4 peers I can say that I think anyone running separate border routers and firewalls for IPv6 than IPv4 is asking for trouble. I know of some sites that are even using different AS numbers to advertise their IPv4 and IPv6 space.

                                                 

                                                This is not a good idea, really it's not.

                                                 

                                                IMNSHO managed this critical part of your infrastructure in parallel or you're going to mess up badly. If the IPv6 traffic takes a different path from the IPv4 traffic and any web servers are probably configured to statically route through the IPv4 return path then any firewall kills the TCP connections [it thinks are invalid].

                                                 

                                                About once a month I have to phone someone up to let them know they have messed up their IPv6 BGP peerings.


                                                • Re: Firewalls and IPv6.
                                                  EchoDelta

                                                  Well... WS2012 is very biased on v6 for high end features (and I like some of those features), and toredo tunnels all over the place, just sniff a DA box. I especially love the v6DNS reaction of replication over v4 links, it doesn't always fail to the v4DNS answer.

                                                   

                                                  My current customer's approach has been internal controlled builds of v6 (if your ESX has v6 diabled, a guest might still be running amok), and perimeter blocking, until the ISP provides a routable address space.

                                                   

                                                  On the firewall side we are working toward directory based identity agents for ACLs, vs our legacy v4 address space ACLs and NAT is based on destination 6to4

                                                   

                                                  but that's just my left-handed way of skinning a cat...

                                                  • Re: Firewalls and IPv6.
                                                    agatward

                                                    We're a production IPv6 site and have found that a number of small peformance / random delay issues with things like Exchange and Lync don't happen if you're in a dual stack environment.  Fortunately Microsoft have realised that the auto tunnels if you have public IPv4 space are a bad thing, so one of the more recent optional windows updates has disabled this functionality.  We had disabled it by other means ourselves (just create an empty DNS zone for 6to4.ipv6.microsoft.com).

                                                     

                                                    We have just over 12,000 hosts on IPv4, and have enabled about a third of those for IPv6 so far, dual stacked.  We're native IPv6 all the way through the network perimiter and our corporate policy is that every new or updated service will be enabled for IPv6 unless the vendor can give a very good reason not to - so far we've only had one vendor give a suitable reason.

                                                     

                                                    Our largest IPv6 network is our wifi guest network for our students and staff to use, in fact this was the first production network to have IPv6 enabled.  From memory, we've only ever had one incident ticket caused by having IPv6 enabled, and that was because I'd forgotten to add the particular network to the routing protocols.

                                                     

                                                    As for our firewalls, well we're a large site so run mid to high end Juniper kit; however IPv6 is almost fully supported through their entire SRX range.

                                                      • Re: Firewalls and IPv6.
                                                        EchoDelta


                                                        ipv6 guest access is a great testbed! I hadn't worried about that since my NAP expert implemented ipsec, but I really like stack separation for an extra layer of isolation.

                                                        • Re: Firewalls and IPv6.
                                                          Brandon Carroll

                                                          Good info here.  And it's good to hear the Juniper SRX has good IPv6 support.  DPI and all?

                                                            • Re: Firewalls and IPv6.
                                                              agatward

                                                              Yes, DPI and all, including IPS and AppFW support if you have the appropriate licenses enabled.  The only caveats I've found so far are VPN related, you can't carry v6 traffic inside a v4 IPSEC VPN or vice versa, but this isn't a problem for us as we're using psuedowires in GRE in IPSEC.

                                                               

                                                              From experience, the auto tunnelling done by Microsoft was what caught most people out, especially some of the server admins who didn't know / realise their systems would do this, then wondered why things went a bit odd when we enabled v6 in certain areas.  It doesn't break things, just makes them slow, so if you see 3 - 5 second delays on things that were working fine, this is a possible cause.

                                                          • Re: Firewalls and IPv6.
                                                            bsnickle

                                                            Currently we are in the testing phase (lab deployment only) and running as a dual stack. All new implementations must be IPv6 capable.

                                                            • Re: Firewalls and IPv6.
                                                              byrona

                                                              Unfortunately we have not done much in the way of implementing IPv6; however, at this point most of our systems and applications should support it.

                                                              • Re: Firewalls and IPv6.
                                                                buraglio

                                                                My opinion on this has been expounded liberally and debated heavily.  My recommendation is to deploy native IPv6 with dual stacked IPv4 everywhere.  It removes any tunneling issues and provides a well controlled environment.

                                                                The realistic way is to plan for IPv6 and to do phased deployments, knowing that there are going to be software instances that don't do it in the desktop, server, security and Layer3 fields.  Be careful with blocking IPv6 tunneling wholesale.  For anyone that does not have complete control over their desktops and other systems, you will likely start to experience "performance problems" as perceptions of timeouts of translation mechanisms like 6to4 time out. 

                                                                One other transition plan that I have personally done and promoted is to build your own 6to4 / miredo gateway.  It's cheap, easy and will keep all of that pesky traffic inside your network instead of being tunneled out.  Placing this in your DMZ is a good first step.  Really, though, the effort spent on it is probably better used pushing it out natively unless your environment is huge.

                                                                As mentioned the Juniper SRX has decent v6 support, we helped to work the bugs out of that over the last few years at my previous employer and there are a number of other platforms that actually do it well now, too.

                                                                However, another good data point is that if you have private IPv4, you'll be dual stacking public IPv6 space onto that, so be mindful of the policy.  There are a lot of caveats with blocking aspects of IPv6 as well, wholesale blocking ICMP, a popular (yet fruitless in my opinion) policy in IPv4 will cause issues in IPv6.

                                                                 

                                                                I can talk ad nauseam about this so I'll stop myself there =)

                                                                 

                                                                nb

                                                                • Re: Firewalls and IPv6.
                                                                  pandom_

                                                                  A great thread starting good conversation. We've taken the following approach

                                                                  • Control and restrict IPv6 networks where possible.
                                                                  • Ensure speakers are muted - desktops, servers, infrastructure.
                                                                  • Planning migration and testing IPv6 islands.
                                                                    • Starting from the Internet edge.
                                                                    • Working our way to the desktop.
                                                                    • Slowly lift restrictions.

                                                                  Control is important.

                                                                   

                                                                  I think it is important to remember that applications such as Dropbox, iTunes, and MS products use IPv6 to talk across networks with LAN based features. Some food for thought.