Differences between router IPv6 and IPv4 firewalls

The role of the firewall on a grid is needless to say. The first line of defense of the network is the firewall, which is used to defend against public Internet attacks and restrict access to the public Internet of local users. With the emergence of IPv6, there are new requirements for firewalls. Although IPv6 and IPv4 provide similar services, there are some nuances between the two Protocols, this has a great impact on firewall devices and operations.

1. A major change in IPv6 is the adoption of fixed-length protocol headers, rather than the adoption of variable-length protocol headers as in IPv4. Any necessary options must be added to the subsequent extension header. The extension header is located between the fixed IPv6 Header and the encapsulated IPv6 upper-layer protocol. It uses different extension headers based on different systems with processing options. For example, the options to be processed on the target host are included in a "target options" header, the options processed by the router are included in a "Hop option" header. Theoretically, this will at least allow the router and host to parse and process their options -- IPv4 is different, and all nodes that process data packets must parse all options.

2. This header structure determines the IPv6 Header information chain: multiple headers are linked together in sequence. The first is the IPv6 Header, and the last is the upper layer protocol. Each extension header contains the specific header length and the header information type of the next header link.

Therefore, any IPv6 stream uses a complete IPv6 Header information chain and then processes the header information it requires. The split header is a special type of extension header, it includes the mechanisms required to implement IPv6 sharding.

Different from IPv4 headers, IPv6 does not store all part-related information in a fixed IPv6 Header, but stores the information in an optional segment header. Therefore, the host that executes the shard only needs to insert a shard header information in the IPv6 Header information chain, and then add the original data packet to the shard.

3. Any system that needs to obtain upper-layer information (such as TCP port number) must process the entire IPv6 Header information chain. In addition, because the current protocol standard supports any number of extension headers, including multiple instances with the same extension header, it will have multiple effects on firewall and other devices, the firewall must Parse Multiple extension headers to perform in-depth packet inspection (DPI). This may reduce WAN performance, cause DoS attacks, or bypass the firewall.

4. Because the current protocol specification supports any number of extension headers, including multiple instances of the same extension header type, therefore, the firewall must be able to process packets that contain abnormal multi-IPv6 extension header information in detail. This may be exploited by some attackers. They may intentionally Add a large number of extension headers to the data packets, causing the firewall to waste too much resources when processing the preceding data packets.

In the end, this may cause firewall performance degradation or DoS problems. In addition, some poorly performing firewalls may not be able to process the entire IPv6 Header information chain when applying filtering policies, which may allow some attackers to use the extended header to threaten the corresponding firewall.

5. IPv6 fragment may also be maliciously exploited. The method is similar to that of IPv4. For example, in order to disrupt the firewall's filtering policy, attackers may send overlapping fragments, thus affecting the part reorganization process of the target host.

In IPv6, this problem is even more serious, because the combination of multiple IPv6 extension headers and shards may produce some incorrect fragments, even though their packet sizes are "normal ", however, they lose some basic information that is usually required to implement the filter policy, such as the TCP port number. That is, the first shard of a packet may contain many IPv6 options, so that the upper-layer protocol header may belong to another Shard, rather than the first shard.

6. IPv6 translation/coexistence technology brings another problem to IPv6 firewall. Most conversion technologies use a channel mechanism that encapsulates another network layer protocol (usually IPv6) in one network protocol (usually IPv4 ). This will have a lot of impact on the security of the firewall. The firewall may not be able to identify specific conversion technologies or apply some filtering policies supported by native IPv6 traffic. For example, when using native IPv4 or native IPv6, a website can block packets destined for TCP port 25, but it may not block these packets after Teredo and other conversion mechanisms are deployed.

VII. The conversion technology may aggravate the above problems, because not only the encapsulated traffic may use a combination of IPv6 extension headers and fragments, but other data packets sent externally (usually IPv4) it may also be fragmented, which will greatly increase the complexity of the final traffic. This complexity not only reduces the network traffic transmission speed, but more seriously, it may also affect the firewall's filtering policy. For example, the firewall may not be able to process the entire header information chain and thus cannot find TCP fragments.

To apply the IPv6 packet filtering policy, the firewall must support at least the processing of the entire IPv6 Header information chain. Ideally, these Firewalls should also support IPv6 conversion technology, in this way, the filtering policies applied to native IPv6 traffic can also be applied to the conversion traffic.

That is to say, the firewall should have a "default deny" policy, so that the firewall can block unnecessary traffic, such as conversion traffic.