NIST IPv6 document

Owen DeLong owen at
Thu Jan 6 04:20:26 CST 2011

> On Wed, Jan 5, 2011 at 9:39 AM, Iljitsch van Beijnum <iljitsch at> wrote:
>> A (relatively) easy way to avoid this problem is to either use a stateful firewall that only allows internally initiated sessions, or a filter that lists only addresses that are known to be in use.
> It would certainly be nice to have a stateful firewall on every single
> LAN connection.  Were there high-speed, stateful firewalls in 1994?
> Perhaps the IPng folks had this solution in mind, but left it out of
> the standards process.  No doubt they all own stock in SonicWall and
> are eagerly awaiting the day when "Anonymous" takes down a major ISP
> every day with a simple attack that has been known to exist, but not
> addressed, for many years.
> You must also realize that the stateful firewall has the same problems

Uh, not exactly...

> as the router.  It must include a list of allocated IPv6 addresses on
> each subnet in order to be able to ignore other traffic.  While this

Uh, no it doesn't. It just needs a list of the hosts which are permitted
to receive inbound connections from the outside. That's the whole
point of the stateful in stateful firewall... It can dynamically allow
outbound sessions and only needs to be open for hosts that are
supposed to receive external session initiations.

Since that list is relatively small and you probably need to maintain
it anyway, I'm not really seeing a problem here.

> can certainly be accomplished, it would be much easier to simply list
> those addresses in the router, which would avoid the expense of any
> product typically called a "stateful firewall."  In either case, you
> are now maintaining a list of valid addresses for every subnet on the
> router, and disabling NDP for any other addresses.  I agree with you,
> this knob should be offered by vendors in addition to my list of
> possible vendor solutions.
Except that routers don't (usually) have the ability to do dynamic outbound
filtration which means that you have the scaling problem you've described
of having to list every host on the net. If the router does have this ability,
then, the router is, by definition, a stateful firewall.

> On Wed, Jan 5, 2011 at 9:39 AM, Iljitsch van Beijnum <iljitsch at> wrote:
>> Sparse subnets in IPv6 are a feature, not a bug. They're not going to go away.
> I do not conceptually disagree with sparse subnets.  With the
> equipment limitations of today, they are a plan to fail.  Let's hope
> that all vendors catch up to this before malicious people/groups.
There are risks with sparse subnets that have been inadequately addressed
for some of their failure modes at this time. I wouldn't go so far as saying they
are a plan to fail. In most cases, most networks shouldn't be susceptible
to an externally initiated ND attack in the first place because those should
mostly be blocked at your border except for hosts that provide services
to the larger internet.


More information about the NANOG mailing list