CISCO IOS Firewall for IPv6

This is the most simple Firewall you may find for IPv6.
It is at the same time trivial to configure and powerful enough to provide the security that you need.

Its functions are:

1. Traffic filtering
2. Traffic inspection
3. Alerts and audits trail

1) Traffic filtering

Traffic filtering is done with ACLs
All non-stateful rules can be applied
ACLs filter only initiating packets

2) Traffic inspection

Inspection engines examines IP packets
Inspection engines updates states tables
Inspection engines permits only return traffic that belongs to existing sessions
Return traffic bypasses all ACLs

3) Alerts and Audit Trails

Automatic alerts can be disabled: they are sent by defaults
Audit trail will generate log entries with session information:

• Source Address and port
• Destination Address and port
• Amount of data transmitted

Audit trail messages are sent when connection terminates

End-to-End connectivity

Stateful inspection breaks the end-to-end connectivity
Same limitation as IPv4 NAT:
Only traffic that belongs to existing sessions is permitted
Layer 7 protocol-specific inspection is required for complex protocols.

Solution:

stateful inspection is performed only on end host

TCP Session Inspection

TCP is connection-oriented
TCP flags are checked by stateful packet inspection engine to build state table

• SYN, SYN-ACK, or ACK exchange builds connections
• FIN and RST tear down connections

Stateful packet inspection has the same knowledge of the state of the connections as end host d==o.

UDP and ICMP Traffic

Connectionless do not keep track of sessions.
Hosts do not store the state of the connection.
For UDP, stateful packet inspectioin briefly waits for return packets that match the criteria (address, ports pairs).
For ICMP, statedul packet inspection briefly waits for matching packets, based on outgoing traffic.

FTP Inspection

FTP control packets are inspected
Data connection informatioin is extracted
Data connection packets are permitted by stateful packet insepction
Mechanism fails ifencryption is used

Inspection Configuration

1. Define inspection
2. Apply inspection ti an interface an initiaing the direction``

ipv6 inspect Out tcp

ipv6 inspect Out udp

ipv6 inspect Out icmp

ipv6 inspect Out ftp

interface GigaEhernet

  ipv6 inspect Out out

IPv6 Routing Header

by default they are dropped unless permitted:

ipv6 inspect routing-header