Rule validation should be on a list of checks. This should continue with any rule change but that can often not scale. At a minimum, testing of Access Control Lists and Firewall rules must be conducted when implanting dual stack. Enter story;
A little over four years ago I started my journey with IPv6, to the point of setting up tunneling at home, and getting my entire home network IPv6 enabled. This was actually quite simple with Tunnel Broker . The interesting part of this story comes in when you take a look at how dual stack works and firewall traffic. To make a long story short, I did not test the home firewall and discovered that it routed tunneled traffic but did not filter the tunneled traffic (Big Thanks to Dr J, whom I was testing with at the time, for point this out).
For the record my open network gap was only about 15 minutes but lets make sure that yours is 0 minutes.
Talking about the dual stack, there are some applications that process packets in a separate process for IPv6 traffic and transition that packet into the application process. There are some applications that use the same memory stack to process IPv6 packets. For example, in some application cases you can bind to the IPv6 stack and listen for IPv4 and IPv6 packets. If I recall correctly, Samba 4.x does it this way, check your manual’s and developer threads for specifics  and be sure to understand how internet facing applications bind their stacks!
What can we do about it? Well, what I do is fire up a SCAPY  on one end and a NetCat  on the other, and transmit traffic across the firewall boundary.
There is an RFC based set of address that you can use internally and or in a lab to test this process, even works on most Virtual Machine setups, call ULA or Unique local addresses . This is an analog to RFC 1918 (Sort of) and can allow you to setup fully routable internal IPv6 networks for testing, ESPECIALLY firewalls and ACLs.
From RFC 4193:
Check back later this week for part 2, which will have the demonstration on how I test along with some downloadable Virtual Machines for your own labs.
--- ISC Handler on Duty
Mar 11th 2013
|Thread locked Subscribe||
Mar 11th 2013
8 years ago