First, if you're doing security you should NEVER "assume" anything. That's a sure fire way to NOT get what you want out of a product.
Second, the U.S. Government has lots of checkboxes. Common Criteria, FIPS 140, etc. IPv6 can be viewed as a checkbox if you don't ask the right question, which is why I specifically am interested in not on the ability to "detect IPv6", but to actually properly decode IPv6, all the IPv6 methods, IPv6 tunnels, and other weirdness that I probably don't know about. We never ask enough questions about the ways our vendors implement these requirements and it gets us in trouble. For example, in IPv4 a typical header is normally 20bytes, but could be slightly larger, let's say 60bytes. Not a big deal for most people, and even old ASIC technology can handle 64 byte headers. But, a normal IPv6 header with options, and tunneling, could easily exceed the 64 byte header length, since it's arbitrary. A smart hacker could add enough options and tunnels to extend the header length to well past 1K (assuming a large MTU). I seriously doubt most vendors have accounted for this. So, when Cisco claims "enhanced visibility", I note that they did NOT answer my question specifically, and they don't go into any details about how they do it. The phrase "we detect IPv6" is not the same as the answer given by ISS & NFR. I'd like to actually more fully explore those answers, which I will do once I create a Matrix from vendors that give an appropriate response, because I STILL don't believe them. People ask questions around buzzwords, they get an answer, and then don't follow up with more detailed questions, because they assume vendors are doing the right thing... when in reality, many vendors will simply do "just enough". Sorry for the rant... I've gotten burned by making "assumptions". -d On 8 Nov 2005 00:34:12 -0000, [EMAIL PROTECTED] <[EMAIL PROTECTED]> wrote: > I think its safe to assume that most of the IDS/IPS products support IPv6 > because its a U.S. government requirement if I'm not wrong. From personal > experience, nfr Sentivist is IPv6 aware. > > ------------------------------------------------------------------------ > Test Your IDS > > Is your IDS deployed correctly? > Find out quickly and easily by testing it > with real-world attacks from CORE IMPACT. > Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 > to learn more. > ------------------------------------------------------------------------ > > ------------------------------------------------------------------------ Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more. ------------------------------------------------------------------------
