[ipv6hackers] my IPv6 insecurity slides

Thu Dec 1 02:48:37 CET 2011

Sent from my iPad

On Nov 30, 2011, at 4:54 PM, Fabian Wenk <fabian at wenks.ch> wrote:

> Hello Owen
> 
> On 30.11.2011 20:19, Owen DeLong wrote:
>> Whitelisting sucks!
>> 
>> However, if you can convince Lorenzo to add your resolver, you do get:
> 
> As I wrote in the other mail, I probably need some side channel to get this for my private IPv6 network. Could you give me a contact to Lorenzo?
> 

I don't have his permission to give out his contact information. If you google ipv6 whitelist, you might get some useful leads.

> 
>> And yet they buy insurance, even though the river above them
>> is not flooding yet, the building is not yet on fire, the
>> tornado has not yet removed the roof, and the earthquake has
>> not yet caused the building to collapse.
>> 
>> Why is it that they can see the business continuity issues
>> with not having insurance, but, we have not been able to
>> properly convey the very same issues with failing to deploy
>> IPv6?
> 
> Probably the wrong people do the decisions where to spend the money.
> 

Whether that's true or not, it is irrelevant. The people who make the decisions are the people who are maki g the decisions. The question we must ask and the problem we must solve is how to convince those decision makers of these simple mathematics.

>>> I did see some strange behavior with IPv6. One just recently
>>> with sending e-mails to an other dual stacked mail server.
>>> And the second with the IDLE function between my mail client
>>> and my IMAP server. As far as I know, the version of
>>> Thunderbird (3.1.16) I am using fails, so I force it to
>>> IPv4. It is fixed in newer versions, but I do not like to
>>> upgrade to the fast release cycle of TB and I am waiting
>>> until the Extended Support Release is available.
>>> 
>> 
>> Care to provide any details on the server side email issue?
> 
> It was to a domain which only has one MX entry in DNS (but with both IPv4 and IPv6 entries). The mail was stuck in the queue with connection timeouts (over IPv6). Manual testing with telnet showed, that the connection was working. I could send a small test e-mail trough telnet, but a larger mail failed. A traceroute or mtr showed, that a few hosts before the destination servers probably ICMP was filtered. I guess it was a problem with the MTU somewhere around there. A few days later it was working again. IPv4 would have worked, but my server did not fall back to this, as the connection to the same server could be initiated on IPv6.
> 

Ah, yes, broken PMTU-d is the leading problem with IPv6 implementations in the real world today.

It was probably broken for IPv4, but we've long since ubiquitously deployed PMTU workarounds I IPv4. We're still trying to just fix PMTU for IPv6.

> For my own mail server I have 3 MX entries (all pointing to the same physical server), the one with the lowest priority has both IPv4 and IPv6 entries, the middle with only an IPv4 entry and the highest with only IPv6 entry (to fool spam bots which are on IPv4 only). I think that such an setup could have helped on the receiving side, so that my server would have tried on a different MX (with only IPv4) to send the mail.

What's the point of the third one?

> 
>>> Who thinks that IPv6 will fix basic problems like spam and
>>> botnets? I do not thinks so, why should this fix it? It even
>>> will not fix phishing and other social engineering tricks
>>> done nowadays. They will also move to IPv6 as soon as they
>>> see enough business there.
>>> 
>> 
>> In fact, IPv6 may make it harder to combat spam and botnets in some ways
>> due to the vast amount of address space and commensurate complication
>> of maintaining useful reputation systems due to database size issues and rapid
>> address mobility.
> 
> This is true and still a very large issue. From this point of view, it is a "good" thing, that normal end users do not have IPv6 yet. Who is going to teach the users do keep their system and software up to date and not click on any random .pdf.exe attachment they receive? This would probably stop the spam too.
> 

I think having the spam problem get that much worse may be the necessary catalyst for user education, unfortunately.

In any case, I think we'll just have to adapt.

> 
>>> I even see new devices sold today, which are not able to run
>>> IPv6. Modern home cinema equipment (eg. A/V receiver, TV,
>>> media player) come with WLAN or LAN, but are not able to use
>>> IPv6. I am happy that my internal network also does support
>>> IPv4 behind NAT. :)
>> 
>> The question is do you buy them? I have started telling
> 
> Yes, I did. :(
> I have replaced my very old 4:3 CRT TV with a new flat screen. And on the TV my preferences were on the picture quality, which I really like with the intelligent back light LED (not edge LED) which gives true black where it has to be black. The support of IPv6 was not really important to me. This new TVs do have a lot of Internet gimmicks like Skype, Youtube and a browser, but I do not use them. I just use it to watch TV or as a large screen for content from other devices. So the Internet connection on the TV is only used for firmware updates. I should probably create a IPv6 only network and connect the TV to it and then call support because the network setup (even automatic) is not working...

I like that idea. I'm looking forward to upgrading to one of these when they have IPv6 support. Inthemeantime, I have non-networked LCD displays that I make do with.

> 
>> vendors of such equipment that I will not buy their product
>> until it includes IPv6 support. In a few cases, making this
>> statement and waiting a year has yielded an IPv6-capable
>> product. The more people who start telling vendors this, the
>> more products we will see get updated with IPv6 support.
> 
> Sure, this should be done, and I do it with "real" IT equipment.
> 

You should do it wi CE too IMHO.  I do.

Owen

> 
> bye
> Fabian
> _______________________________________________
> Ipv6hackers mailing list
> Ipv6hackers at lists.si6networks.com
> http://lists.si6networks.com/listinfo/ipv6hackers