I wrote this article to support all our colleagues around the world who are testing or deploying IPv6 on their networks.
Recently, my team and I have been working on a lab to deploy IPv6 in our office. We finally succeed on getting an IPv6 network communicating with an IPv4 network and with the internet (it seems easy, but it took us 3 days of reading and testing).We made this with a UTM firewall using a NAT64. Everything went well until we stopped trying to halt the traffic going to internet (IPv6 Network -> IPv4 Internet). When we configured the security policies, they didn't stop the traffic. We started to research and noticed that there were no logs for the traffic except for the NAT64 communication.We also tried to block all the traffic - no matter what application, source port, destination port, source IP, or destination IP. Guess what? The traffic still went through. Even if we made a traffic decryption (with a man in the middle attack), we didn't see anything out of tcp80, tcp443 or udp443.It seems that in some devices, the NAT64 rule bypasses any kind of security policy. This is a big red alarm for security developers. We already talked with the manufacturer's engineering team and they're going to search for a solution to this problem.The biggest problem is that, if we can't control and identify any kind of traffic that is exiting our LAN, how could we take care of attacks coming from the outside using IPv6?For specific reasons I can't share what firewall we're using in the lab. Instead, I invite you to make a testing lab and see if your firewall vendor can really detect IPv6 traffic (not only IPv6 to IPv6, but IPv6 to IPv4).Hope this helps network engineers
, security engineers
, developers, vendors, etc. to harden their security. When we finally get to an IPv6 world, it can be a safe one.Mario Sanchez Novelo