|
|
|
|
|
|
|
|
|
|
Add IPv6 support for IPFW2 Firewall and DUMMYNET traffic shaper
by Raffaele De Lorenzo, Luigi Rizzo, Mariano Tortoriello
Abstract
We illustrate how to build a firewall and a traffic shaper for the FreeBSD system (including Releng 4.x, 5.x, 6.x) with enhanced IPv6 filter capabilities compared to standard IPv4 capabilities. IPv6 will become soon the new standard Internet Protocol, and it differs radically from IPv4 Internet Protocol. New security policies are needed for all systems that currently use (or will use) the IPv6 protocol. As far as compatibility is concerned, the new protocol can coexist with the old one, since they can work independently. Therefore, it will be possible to move gradually from IPv4 to IPv6.
The goal of this paper and related codes is the implementation of the IPv6 protocol inside existing firewall/traffic shaping programs (IPFW2/DUMMYNET) supporting only IPv4. In this way, compatibility is preserved. In the first section we describe in detail the IPFW2 Firewall and DUMMYNET Traffic Shaper, including functionality and rule structure. We also describe the technical implementation and the hook with the IPv4 FreeBSD Kernel stack. In the second section we describe the Internet Protocol Version 6 (IPv6), the main differences with respect to IPv4, and how IPv6 is included in the FreeBSD kernel (IPv6 stack). In the third section we describe our implementation aimed at making IPFW2 and DUMMYNET working with IPv6 rules. We describe in detail the hooking with the FreeBSD IPv6 stack, crucial for a correct implementation. Tests are described in the last section.
On April 18th 2005 this code was committed in FreeBSD CURRENT by Brooks Davis (via Luigi Rizzo). See http://www.freebsd.org/news/status/report-jan-2005-mar-2005.html for more info.
Author bio
RAFFAELE DE LORENZO received the Laurea degree (5 years) in Computer Science Engineering from the University of Pisa (Italy) in 2003. He is currently a System Network and Security Engineer with Banca Intesa in Parma, Italy, where he develops network security for the Bank.
LUIGI RIZZO received a Ph.D. degree in Electronic Engineering from the SSSUP S. Anna in Pisa, Italy in 1993. Since 1991 he has been with the Dipartimento of Ingegneria dell'Informazione at the University of Pisa,where he currently is Associate Professor.
MARIANO TORTORIELLO received the Laurea degree (5 years) in Computer Science Engineering from the University of Pisa, Italy, in 2003. He is the executive director of a small mechanical engineering company.
go back to the schedule
Copyright © 2006 - WillyStudios.com di Stucchi Massimiliano Andrea, EuroBSDCon 2006. All rights reserved.