On Tue, 27 Nov 2001, Patrick Nolan wrote: > Hi Werner, > > > > what about firewalls ? when tunneling ipv6 packets in an encapsulated > > ipv4 there should not be a problem, right ? > > Depends on the type/locationof the firewall.
The tunnel will likely be seen as Protocol 41, which you can choose to allow or block. I don't know of firewalls that look inside the tunnel. We place tunnel endpoints outside our main (IPv4-firewalled) IPv4 network, such that any IPv6 traffic routing into our IPv6-only network, or to dual-stack hosts, has to pass through a dedicated IPv6 firewall (ip6fw on FreeBSD at present, given the lack of commercial products). Depending on your architecture, you may wish to host public (dual stack) IPv6 services in (one of) your IPv4 DMZ networks, by having a /64 advertised into that network. The general message is to take care that adding IPv6 connectivity does not bypass your otherwise (relatively) secure IPv4 defences. I have replied instead to [EMAIL PROTECTED] as perhaps a more appropriate forum. Tim > Not much specific firewall and IDS work is available that I've found, and I've >looked hard. Any list pointers to info would be appreciated. > > After reading this: > > "Internet Connection Firewall Does Not Block Internet Protocol Version 6 Traffic" > http://support.microsoft.com/support/kb/articles/q306/2/03.asp " > > I contacted MS for further info and received this: > > "Hi Patrick, > > Thanks for your note. I heard back from the devs and learned that if > IPv6 is installed and the machine receives an IPv6 packet encapsulated > in IPv4, then ICF WILL intercept the packet before it is handed to the > IPv6 stack. > > I hope this answers your question sufficiently. If you have any other > questions or concerns, don't hesitate to contact me. We appreciate your > interest and feedback." > > So many questions are unanswered at this point. > > Pat > > -------------------------------------------------------------------- > IETF IPng Working Group Mailing List > IPng Home Page: http://playground.sun.com/ipng > FTP archive: ftp://playground.sun.com/pub/ipng > Direct all administrative requests to [EMAIL PROTECTED] > -------------------------------------------------------------------- > --------------------------------------------------------------------- The IPv6 Users Mailing List Unsubscribe by sending "unsubscribe users" to [EMAIL PROTECTED]
