Does IPv6 tunneling present any problem for firewall in an IPv4 network? Explain your reasoning for this answer.
Yes, there is a problem for firewall in an IPv4 network which is presented by IPv6 tunneling. There has been a discussion about IPv6 tunneling for years now and even though actual IPv6 deployments have become more common since summer 2008, the vast majority of networks only run IPv4 network. The main reason for running the network in IPv4 is of the following uses i.e; The reason is quite simple: even if a network runs only IPv4, IPv6-enabled hosts can communicate over IPv6 natively with layer-2 adjacent nodes or by using transition mechanisms like 6to4 or ISATAP or Teredo tunnels. As soon as two IPv6 hosts can communicate, this communication channel can be used as an attack channel. And when the attack channel is used here comes a major problem of the firewall will be under the protection zone to protect the network. As a result, all network administrators and security officers should learn more about IPv6 and its security threats and mitigation techniques even before deploying IPv6 in their network.
1. ISATAP (RFC 5214): To link a single host to an ISATAP tunnel server (such as an IOS router) and through this server to an IPv6 node, it uses IPv4 protocol 41. It is mainly used within an organization because it can be used with RFC 1918 addresses. The default tunnel server is the host named isatap on the default DNS domain.
2. 6to4 (RFC 3056): To connect a single host or multiple networks to IPv6, it relies on IPv4 protocol 41. It requires the use of a globally routable address, or in other words, it does not work with RFC 1918 addresses. The default 6to4 relay acting as a gateway between IPv6 and IPv4 has a well-known address: 192.88.99.1, which is anycast (meaning that several organizations run a 6to4 relay and advertise its existence to their neighbor).
3. Teredo (RFC 4380): To link a single computer to IPv6, it relies on UDP to allow the tunnel to traverse NAT devices. Teredo uses UDP port 3544 to communicate with Teredo servers which are used as dispatchers between Teredo clients and Teredo relays.
Here the threats are relevant only if you do not know the current impact of IPv6 tunneling present on your existing IPv4-network. As usual, knowledge is the key element of security. The threats are of two types. They are;
Here the two types are been explained that the problems to be discussed in the following and elaborated as
NOTE: [RFC6169] describes the security implications of tunneling mechanisms in detail. Of the plethora of tunneling mechanisms that have so far been standardized and widely implemented, the so- called "automatic tunneling" mechanisms (such as Teredo, Intra- Site Automatic Tunnel Addressing Protocol (ISATAP), and 6to4) are of particular interest from a security standpoint, since they might be employed without prior consent or action of the user or network administrator.
Tunneling mechanisms should be a concern not only to network administrators that have consciously deployed them but also to those who have not deployed them, as these mechanisms might not be leveraged to bypass their security policies.
NOTE: [CERT2009] contains some examples of how tunnels can be leveraged to bypass firewall rules. The aforementioned issues could be mitigated by applying the common security practice of only allowing traffic deemed as "necessary" (i.e., the so-called "default deny" policy). Thus, when such policy is enforced, IPv6 transition/coexistence traffic would be blocked by default and would only be allowed as a result of an explicit decision.
Get Answers For Free
Most questions answered within 1 hours.