We'll study here IPv6 Simple Security, and test an IPv6 Router implementation of this feature.
The tests will be performed using a D-link DIR-626L, which is a 40 $/€ neat, feature-full IPv6 Router.
IPv6 Simple Security
IPv6 Simple Security refers to RFC 6092, whose aim is to provide IPv6 Consumer equipments with a default setup that copies the behaviour of an IPv4 NAT Router :
To allow everything out
To deny everything in
To allow in replies to recent outgoing requests
IPv4 NAT has proven to be a simple, secure default setup for most of the consumers, notwithstanding the troubles it did create for less typical uses ( need for port forwarding, IPSec problems, VoIP problems, ... ).
The goal of IPv6 Simple Security is to provide people with a default, secure, zero-setup firewall mode.
IPv6 Simple Security has some specifications about default IPSEC and Mobile IPv6 firewall ingoing pass-through.
Practical Implementation and test
Please refer to this previous post for firewall testing metodology.
. Scan the firewall from both sides
. Scan the router firewall using the ISP network scanner
. Do some live internet use to check this IPv6 Simple Security behaviour.
Here is the checkbox to enable IPv6 Simple Security. Notice that ticking it automatically ticks ' IPv6 Ingress Filtering ' ( See Previous Post )
Here is the test setup :
The Server is running a Web Server and a Mail Server. It has 7 open ports, including port 80.
We'll scan the Server Through the Router, and then switch sides ( Wan Server / Lan PC1 ) and rescan.
We'll add a rule about TCP port 80, and test it in each combinaison, to see its effects.
Both the Zenmap results and the Wireshark log will be checked, for finding open ports and passing packets.
Here is the resulting table :
This shows a certain number of things :
1. IPv6 Simple Security is functionning as expected, allowing trafic out, trafic back in, but not original out trafic in.
2. Using IPv6 Simple Security, the Wan side is closed, whether the firewall is set to off, ' allows rules listed ' or ' deny rules listed '.
3. IPv6 Simple Security allows by default some ICMPv6 traffic through, unless a specific deny rule is created. This is by design ( RFC 4890 )
4. Using IPv6 Simple Security, setting the firewall to ' allows rules listed ' shuts down the Lan > Wan traffic. This leads to a kind of eerie conclusion :
' deny rules listed ' mode is not restrictive : it doesn't cancel the IPv6 Simple Security wan block
' allow rules listed ' is restrictive : it cancels the IPv6 Simple Security outflow
This leads to the fact that if we want to open an incomming port ( web server hosting as an exemple ), we have to use the 'allow rules listed' mode, and thus have to create an outgoing rule for normal internet outgoing traffic, effectively quitting IPv6 Simple Security to the realm of manual statefull firewalling. IPv4 NAT usually allows to create an incomming rule, while keeping the automatic mode. Here is how an incomming port opening has to be done on the Dlink DIR-626L :
We then test the Firewall online, using the ISP online scanner :
The result are in-line with the preeceding test, and confirm it.
Finally, a few Web surfing tests confirm the Dlink IPv6 Simple Security well behaving.
A few final notes about the Dlink DIR 626-L IPv6 Simple Security Firewall :
o As stated on the previous post, linking up two DIR 626-L using Ingress Filtering results in the inner Router traffic being dropped by the Internet Gateway :
and ticking IPv6 Simple Security automatically ticks Ingress Filtering. An ' allow all out ' rule has to be created on the Internet Gateway Router.
This is kind of new compared to IPv4 Routers easy link-up ( cascading ).
o Throughout the test, never any dropped packet was ever logged, although the right logging options were set, and the logs were checked using both the Router's admin webpage, and the Router connected to a Syslog Server.
o A quite curious bug in the firewall settings :
Although the code for 'any IP' is :: ( comma comma ), once saved, it gets blank. Let's say you create rule 1 with any IP to any IP addresses scopes. When saved, the :: get replaced by a blank space. Everything works OK thus. But, while making some changes to say rule 3, you need to refill rule 1 IP scopes with the needed ::. Leaving the blank space will give you an ' Invalid IP address ' message. Not easy to guess at the beginning.
The RFC 4890 clarifies the ICMPv6 recommended filtering rules on Firewalls. Some content states that :
. ICMPv6 is required for good IPv6 functionning, so only some types of ICMPv6 traffic should be dropped.
. Due to the large IPv6 host ID scopes, and in case a non-predictible host ID scheme is used ( temporary or one-time-randomized addresses ), network scanning ceases to be a concern.
So it is to be expected, that pings and tracerts pass the IPv6 Firewalls by default. A deny rule has to be used to explicitely block them :